Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: This is a Security issue, but more!!!

02 May 2009   #61
Dwarf

Windows 8.1 Pro RTM x64
 
 

Hi Paul,

Thanks for clearing up my suspicions with that directory. I don't have HP (home built PC), so I hadn't come across it before, which is why I flagged it up.

There is a folder Installer on the drive, but it is a sub-folder of the Windows folder. This looks normal (if it is in that location - elsewhere is suspicious). When you hover over these files, what does the pop-up say (note that not all have such a pop-up)?

Finally, what security issues have you got, as the flag is showing that you have some problems?


My System SpecsSystem Spec
.
02 May 2009   #62
pjvex386

 

Dwarf:

I edited my post as I realized my error. But this directory is unusual insofar as its contents. The subfolder is hidden, but I can look at the files at the command line after I run attrib. Here is the output for c:\windows\attrib -a -h -s -i *.*:

Access denied - C:\Windows\bfsvc.exe
Access denied - C:\Windows\explorer.exe
Access denied - C:\Windows\fveupdate.exe
Access denied - C:\Windows\HelpPane.exe
Access denied - C:\Windows\hh.exe
Access denied - C:\Windows\mib.bin
Access denied - C:\Windows\notepad.exe
Access denied - C:\Windows\regedit.exe
Access denied - C:\Windows\splwow64.exe
Access denied - C:\Windows\twain.dll
Access denied - C:\Windows\twain_32.dll
Access denied - C:\Windows\twunk_16.exe
Access denied - C:\Windows\twunk_32.exe
Access denied - C:\Windows\winhlp32.exe
Access denied - C:\Windows\WMSysPr9.prx
Access denied - C:\Windows\write.exe


Then once I switch to the installer directory, I run the same attrib command with no problem. So here is the contents of the c:\windows\installer (hidden) directory.


Volume in drive C has no label.
Volume Serial Number is A269-346A

Directory of C:\Windows\Installer

05/02/2009 11:07 AM <DIR> .
05/02/2009 11:07 AM <DIR> ..
05/01/2009 05:13 PM <DIR> $PatchCache$
06/12/2008 08:24 AM 6,626,304 12df686.msi
06/12/2008 08:24 AM 2,349,056 12df68c.msi
12/19/2005 10:52 PM 6,019,584 18ea727.msi
07/29/2008 12:55 PM 242,176 1bb3d9.msi
01/08/2009 02:30 PM 14,909,440 1bb3df.msi
03/20/2009 05:18 PM 3,998,208 1bb3ed.msi
09/19/2008 11:34 PM 3,899,392 1bb3f3.msi
08/26/2008 03:45 AM 5,426,688 1bb3f9.msi
08/14/2008 07:01 PM 3,213,824 1bb3ff.msi
08/08/2008 02:44 AM 3,106,816 1bb405.msi
08/08/2008 02:46 AM 3,106,816 1bb40b.msi
07/29/2008 02:13 AM 3,108,864 1bb412.msi
08/31/2008 05:15 AM 3,772,416 1bb418.msi
07/31/2008 11:53 PM 5,470,728 1bb41e.msi
08/01/2008 11:13 PM 3,129,344 1bb424.msi
07/28/2008 04:08 PM 3,115,520 1bb42a.msi
08/04/2008 09:33 PM 3,110,912 1bb430.msi
07/29/2008 12:56 PM 3,111,936 1bb436.msi
08/29/2008 06:57 AM 3,737,088 1bb43c.msi
07/31/2008 06:39 AM 3,181,568 1bb442.msi
08/01/2008 10:29 PM 3,115,008 1bb448.msi
05/29/2008 10:04 AM 29,696 1bb44e.msi
08/25/2008 09:58 PM 3,146,240 1bb454.msi
08/14/2008 07:18 PM 3,121,664 1bb45a.msi
07/29/2008 02:06 AM 3,109,376 1bb460.msi
07/29/2008 01:48 AM 3,108,864 1bb467.msi
07/29/2008 01:53 AM 3,109,888 1bb46e.msi
07/29/2008 02:04 AM 3,109,376 1bb475.msi
08/12/2008 06:12 PM 3,108,864 1bb47b.msi
08/06/2008 09:52 PM 6,025,728 1bb482.msi
08/14/2008 07:22 PM 3,119,104 1bb488.msi
05/01/2009 02:04 PM 24,064 1bb496.msi
07/29/2008 02:47 AM 3,122,688 1bb49c.msi
09/19/2008 11:33 PM 3,112,448 1bb4a2.msi
07/29/2008 03:03 AM 3,119,104 1bb4a8.msi
09/12/2008 10:54 PM 4,936,192 1bb4ae.msi
08/12/2008 10:39 AM 4,930,048 1bb4b5.msi
08/01/2008 01:23 AM 3,134,464 1bb4bc.msi
08/13/2008 10:16 PM 3,124,736 1bb4c2.msi
08/14/2008 07:15 PM 3,761,664 1bb4c8.msi
08/29/2008 06:42 AM 3,319,296 1bb4ce.msi
08/25/2008 10:05 PM 3,146,240 1bb4d4.msi
07/29/2008 02:17 AM 3,131,904 1bb4da.msi
07/29/2008 02:32 AM 3,131,392 1bb4e0.msi
07/26/2008 05:37 AM 3,152,384 1bb4e6.msi
07/26/2008 05:39 AM 3,152,384 1bb4ec.msi
07/29/2008 02:55 AM 3,122,688 1bb4f2.msi
07/29/2008 03:06 AM 3,119,104 1bb4f8.msi
07/26/2008 05:49 AM 3,112,448 1bb4fe.msi
07/26/2008 05:53 AM 3,112,448 1bb504.msi
08/14/2008 01:06 AM 3,113,984 1bb50a.msi
09/19/2008 11:34 PM 3,121,152 1bb511.msi
09/19/2008 11:23 PM 5,850,624 1bb517.msi
09/19/2008 11:30 PM 6,215,680 1bb51d.msi
05/01/2009 02:25 PM 68,519,424 1bb522.msi
04/02/2009 04:09 PM 14,265,344 2eadf.msi
04/02/2009 04:10 PM 2,083,840 2eae5.msi
04/02/2009 04:09 PM 27,953,664 2eaeb.msi
04/02/2009 04:09 PM 2,713,088 2eaf1.msi
04/02/2009 04:29 PM 41,832,960 2eaf5.msi
05/02/2009 02:11 AM 12,253,184 dccc99.msi
05/01/2009 05:12 PM 0 wix{BA1035C7-14DE-4857-8285-4ACFC74172EC}.SchedServiceConfig.rmi
(previously this was a midi file under filetype)
05/01/2009 02:03 PM <DIR> {00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
05/01/2009 02:03 PM <DIR> {0D6013AB-A0C7-41DC-973C-E93129C9A29F}
05/01/2009 05:12 PM <DIR> {216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
05/02/2009 02:13 AM <DIR> {26A24AE4-039D-4CA4-87B4-2F83216013FF}
05/01/2009 02:05 PM <DIR> {35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
05/01/2009 02:25 PM <DIR> {37EA4EB5-2C4D-40CC-9EB1-762F1711ECDE}
05/01/2009 02:03 PM <DIR> {5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
05/01/2009 02:04 PM <DIR> {67F0E67A-8E93-4C2C-B29D-47C48262738A}
05/01/2009 05:12 PM <DIR> {6956856F-B6B3-4BE0-BA0B-8F495BE32033}
05/01/2009 01:45 PM <DIR> {889450B1-87C5-4A38-B766-DBBC9845EABE}
05/02/2009 11:06 AM <DIR> {90110409-6000-11D3-8CFE-0150048383C9}
05/02/2009 09:24 AM <DIR> {AC76BA86-1033-F400-7761-000000000004}
05/01/2009 05:13 PM <DIR> {AE303591-1BFC-48B3-881B-655298C4EDE0}
05/01/2009 05:12 PM <DIR> {BA1035C7-14DE-4857-8285-4ACFC74172EC}
05/01/2009 02:01 PM <DIR> {C52E3EC1-048C-45E1-8D53-10B0C6509683}
05/01/2009 05:12 PM <DIR> {DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}
05/01/2009 01:51 PM <DIR> {DCCAD079-F92C-44DA-B258-624FC6517A5A}
05/01/2009 02:08 PM <DIR> {E4848436-0345-47E2-B648-8B522FCDA623}
62 File(s) 367,429,128 bytes
21 Dir(s) 228,082,671,616 bytes free

I do not know if the file above was a midi file or not (but it did say this under file type), and when I tried to run it in WMP, it was unable to play it, and when I ran it with VLC, it immediately said I needed a version which corrected a bug that caused problems with multi-screen systems.
In the two screenshots of the installer directory from Windows, I see the what now looks rather benign.
[IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot.jpg[/IMG][IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-1.jpg[/IMG] [[EDIT: Note: I did not type this (purple text) into this post. Is this automated text? Further, when I saved them, I saved them as .png files from paint. Perhpas this is just the "prt sc" default directory and filetype.. I thought I would mention this anyway since I was unsure]

Also, while I have installed WIN7 (build 7077) for 64 bit, I keep getting errors that I am not running a 64 bit platform, but rather a 32 bit platform. What type of virtualization programs exist which someone could use to bridge 32 bit applications to 64 bit? Does it emulate a 32 bit machine/OS?

Paul


Attached Thumbnails
This is a Security issue, but more!!!-installera1.png   This is a Security issue, but more!!!-installera2.png  
My System SpecsSystem Spec
02 May 2009   #63
pjvex386

 

DWARF:

To answer your last question re the action center flag. It says that I need AV software... which I describe in my last post as an impossible feat (and even if I do manage to get an AV application installed, I am notified every 2 minutes to "Turn On" firewall protection. I keep turning it on, but it continues to tell me it is not on.

Second the action center says that Windows Defender needs to be run (among other things -- see screenshot of action center). I have never seen windows defender run nor update (and there are never any windows updates either). But oddly, have a look at this log file from c:\windows\temp. File is called "MpCmdRun.log". And it appears that Defender is running (and quite frequently too):

[IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-2.jpg[/IMG][IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-3.jpg[/IMG]
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob
Start Time: Fri May 01 2009 13:50:34

Start: Signatures Update Service
Update Started
Search Started (windows update)...
Time Info - Fri May 01 2009 13:50:48 Search Completed
Download Started...
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 0%
Time Info - Fri May 01 2009 13:51:06 Download Progress-
Update Index:0 of 1 - 2%
Time Info - Fri May 01 2009 13:51:18 Download Progress-
Update Index:0 of 1 - 4%
Time Info - Fri May 01 2009 13:51:29 Download Progress-
Update Index:0 of 1 - 6%
Time Info - Fri May 01 2009 13:51:39 Download Progress-
Update Index:0 of 1 - 8%
Time Info - Fri May 01 2009 13:51:49 Download Progress-
Update Index:0 of 1 - 10%
Time Info - Fri May 01 2009 13:52:01 Download Progress-
Update Index:0 of 1 - 13%
Time Info - Fri May 01 2009 13:52:13 Download Progress-
Update Index:0 of 1 - 15%
Time Info - Fri May 01 2009 13:52:29 Download Progress-
Update Index:0 of 1 - 17%
Time Info - Fri May 01 2009 13:52:42 Download Progress-
Update Index:0 of 1 - 19%
Time Info - Fri May 01 2009 13:52:54 Download Progress-
Update Index:0 of 1 - 21%
Time Info - Fri May 01 2009 13:53:05 Download Progress-
Update Index:0 of 1 - 23%
Time Info - Fri May 01 2009 13:53:18 Download Progress-
Update Index:0 of 1 - 26%
Time Info - Fri May 01 2009 13:53:33 Download Progress-
Update Index:0 of 1 - 28%
Time Info - Fri May 01 2009 13:53:48 Download Progress-
Update Index:0 of 1 - 30%
Time Info - Fri May 01 2009 13:54:00 Download Progress-
Update Index:0 of 1 - 32%
Time Info - Fri May 01 2009 13:54:14 Download Progress-
Update Index:0 of 1 - 34%
Time Info - Fri May 01 2009 13:54:28 Download Progress-
Update Index:0 of 1 - 36%
Time Info - Fri May 01 2009 13:54:43 Download Progress-
Update Index:0 of 1 - 39%
Time Info - Fri May 01 2009 13:54:59 Download Progress-
Update Index:0 of 1 - 41%
Time Info - Fri May 01 2009 13:55:12 Download Progress-
Update Index:0 of 1 - 43%
Time Info - Fri May 01 2009 13:55:32 Download Progress-
Update Index:0 of 1 - 45%
Time Info - Fri May 01 2009 13:55:47 Download Progress-
Update Index:0 of 1 - 47%
Time Info - Fri May 01 2009 13:56:00 Download Progress-
Update Index:0 of 1 - 49%
Time Info - Fri May 01 2009 13:56:13 Download Progress-
Update Index:0 of 1 - 52%
Time Info - Fri May 01 2009 13:56:27 Download Progress-
Update Index:0 of 1 - 54%
Time Info - Fri May 01 2009 13:56:40 Download Progress-
Update Index:0 of 1 - 56%
Time Info - Fri May 01 2009 13:56:54 Download Progress-
Update Index:0 of 1 - 58%
Time Info - Fri May 01 2009 13:57:07 Download Progress-
Update Index:0 of 1 - 60%
Time Info - Fri May 01 2009 13:57:23 Download Progress-
Update Index:0 of 1 - 62%
Time Info - Fri May 01 2009 13:57:36 Download Progress-
Update Index:0 of 1 - 65%
Time Info - Fri May 01 2009 13:57:51 Download Progress-
Update Index:0 of 1 - 67%
Time Info - Fri May 01 2009 13:58:06 Download Progress-
Update Index:0 of 1 - 69%
Time Info - Fri May 01 2009 13:58:23 Download Progress-
Update Index:0 of 1 - 71%
Time Info - Fri May 01 2009 13:58:37 Download Progress-
Update Index:0 of 1 - 73%
Time Info - Fri May 01 2009 13:58:48 Download Progress-
Update Index:0 of 1 - 76%
Time Info - Fri May 01 2009 13:58:58 Download Progress-
Update Index:0 of 1 - 78%
Download Progress-
Update Index:0 of 1 - 80%
Time Info - Fri May 01 2009 13:59:20 Download Progress-
Update Index:0 of 1 - 82%
Time Info - Fri May 01 2009 13:59:37 Download Progress-
Update Index:0 of 1 - 84%
Time Info - Fri May 01 2009 13:59:55 Download Progress-
Update Index:0 of 1 - 86%
Time Info - Fri May 01 2009 14:00:13 Download Progress-
Update Index:0 of 1 - 89%
Time Info - Fri May 01 2009 14:00:29 Download Progress-
Update Index:0 of 1 - 91%
Time Info - Fri May 01 2009 14:00:46 Download Progress-
Update Index:0 of 1 - 93%
Time Info - Fri May 01 2009 14:01:03 Download Progress-
Update Index:0 of 1 - 95%
Time Info - Fri May 01 2009 14:01:16 Download Progress-
Update Index:0 of 1 - 97%
Time Info - Fri May 01 2009 14:01:29 Download Progress-
Update Index:0 of 1 - 99%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Completed
Installation Started...
Installation Progress-
Percent Complete:0,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:0,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:100,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:100,
Current Update Index:0 (of 1)
Installation Completed
Update completed succesfuly
End: Signatures Update Service
MpCmdRun: End Time: Fri May 01 2009 14:01:38
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 688A2260-A1E7-BC35-ACC9-AF5ACB4EA416
Start Time: Fri May 01 2009 14:12:12

MpCmdRun: End Time: Fri May 01 2009 14:12:12
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 18C2F5F8-6472-70D3-3A85-F0AA2C3F9294
Start Time: Fri May 01 2009 14:22:37

MpCmdRun: End Time: Fri May 01 2009 14:22:37
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey A435D565-CD56-08AF-CD7C-C681E37DB9A2
Start Time: Fri May 01 2009 14:33:38

MpCmdRun: End Time: Fri May 01 2009 14:33:38
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 0D469D41-B778-B13A-662B-D12CC3991065
Start Time: Fri May 01 2009 17:52:33

MpCmdRun: End Time: Fri May 01 2009 17:52:33
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey C3997AFA-AA96-A7D7-EC02-A7D94A4F4055
Start Time: Sat May 02 2009 00:12:00

MpCmdRun: End Time: Sat May 02 2009 00:12:00
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 2D4A620D-37E0-105E-7F92-E1C303AE73F8
Start Time: Sat May 02 2009 00:22:06

MpCmdRun: End Time: Sat May 02 2009 00:22:06
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey F54A173C-EDB0-E5CD-F0A3-B8C413D1C8C5
Start Time: Sat May 02 2009 01:17:34

MpCmdRun: End Time: Sat May 02 2009 01:17:35
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D87F1E2A-8FF4-B11E-E964-DE98DCC8C22A
Start Time: Sat May 02 2009 02:09:46

MpCmdRun: End Time: Sat May 02 2009 02:09:46
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 732C2C66-487D-7964-9980-83E8D7B071C5
Start Time: Sat May 02 2009 02:29:51

MpCmdRun: End Time: Sat May 02 2009 02:29:51
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 60D00063-68E2-0758-599B-5294687728A4
Start Time: Sat May 02 2009 02:40:26

MpCmdRun: End Time: Sat May 02 2009 02:40:26
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 96902F4A-6420-41A4-D662-7C7EA173ACAB
Start Time: Sat May 02 2009 03:23:09

MpCmdRun: End Time: Sat May 02 2009 03:23:09
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 348685F5-9768-82F5-9535-666BE0A0835C
Start Time: Sat May 02 2009 03:33:20

MpCmdRun: End Time: Sat May 02 2009 03:33:20
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 3060F66B-75D3-3834-01FB-CC858D38C4BD
Start Time: Sat May 02 2009 09:26:28

MpCmdRun: End Time: Sat May 02 2009 09:26:28
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 625A7DED-3E72-02A3-F807-0D4315E4F10A
Start Time: Sat May 02 2009 09:36:16

MpCmdRun: End Time: Sat May 02 2009 09:36:16
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 2DD73736-4A9E-AA1B-FE5A-2ECBE7DAB6F3
Start Time: Sat May 02 2009 10:34:13

MpCmdRun: End Time: Sat May 02 2009 10:34:13
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 44D40EB4-9B70-2A34-412C-7BEDED998283
Start Time: Sat May 02 2009 11:04:16

MpCmdRun: End Time: Sat May 02 2009 11:04:16
-------------------------------------------------------------------------------------


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey A2A5B72E-62B5-C6BC-7E12-C7124817AF81
Start Time: Sat May 02 2009 13:32:27

MpCmdRun: End Time: Sat May 02 2009 13:32:27
-------------------------------------------------------------------------------------

And when I look at the securities tab of this log file, why are the administrators group and the system group shared??? [See screenshot called defenderlog.]

Paul


Attached Thumbnails
This is a Security issue, but more!!!-actioncenter.png   This is a Security issue, but more!!!-defenderlog.png  
My System SpecsSystem Spec
.

02 May 2009   #64
ccatlett1984

 

go into the bios and turn off the bluetooth radio if your that paranoid, while yes with a really high power signal you can broadcast for quite some distance, its not happening with your laptop. It would be simple one-way communication if only "his" end had the high power radio. Since you claim that he knows what you are doing, then this can't be the case as your laptop doesnt have that kind of transmit power.

If you are this concerned with it, just pop the hard drive out and nuke it in another machine prior to re-installing the OS. You can get all the drivers you need from www.hp.com/#support/

Might i suggest an end to all this wonderful madness, just sell the damned laptop to someone else and get a different one.
My System SpecsSystem Spec
02 May 2009   #65
pjvex386

 

Thank you for your reply....

Unfortunately, my bios does not have bluetooth radio. And what I am suggesting is that the trojan broadcasts an address long enough for the UDP packets to pass through any near enough AP to connect. Then with that connection (this is why I was so confused earlier because I would just get near a wifi router and I would see familiar TCP/UDP routes..... every time..

And, I did dump my old laptop....sold it for $50.

Then after a week I got a new one, and because I had been using a flash drive in the old laptop and then at internet cafe's -- I completely spaced and put it in the new laptop. The framework of this virus is a lot like "Downadup". If you go to the Norton page on this virus it refers to fake or created services from certain combinations of keywords. I have almost every one of these services...

And I WANT to stop the madness, except HP doesn't ahve a bootable iso -- which I know I could do by unpacking the drivers and creating a boot CD, but HP does not put all the drivers needed on their download boards. For example my SATA drive is a Toshiba...but on the page at HP for my model, there is only a driver for certain models which had a Hitachi drive....

So, I ordered the damn disks...and hopefully I wil be through with this.

But, after trying Spotmau wipe, Darik Boot and Nuke, and a few others, the freeware from HDDguru -- all without success because they are recognized and hooked and made inoperable before they can run properly.....

So, before I remove the HD, and find another machine to wipe it, if someone can suggest a good but perhaps not so well known utility...I would appreciate it.

Thanks again for everyone's help. I know this is annoying...but like I said, it is like having a new roommate that you are not particularly fond of-- day after day.

Paul
My System SpecsSystem Spec
02 May 2009   #66
Uber Philf

W7 RTM Ultimate x64
 
 

id have to say, disable your wireless, change ur password for your Ap, they could use that to get into your laptop, as angryman said earlier.
My System SpecsSystem Spec
03 May 2009   #67
darkassain

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
 
 

first all can you show us a process explorer log or a pic of it?
for the bluetooth
goto start and type run
there type this...
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL bthprops.cpl,,1
you should come up with the blutooth control panel
follow this..
This is a Security issue, but more!!!-blutooth.png
it should completely disable blutooth and letting you at the same time advise you if nye
you have done the down
check it every few minutes and see if it changing...
is this laptop under warranty?
if not what i would do is this...
i would do physically remove it (the bluetooth dongle)...
that would end the whole blutooth hole in your security...
also boot up under a linux live cd and repartition *everything* that touched your old computer....
(i mean everything, that is yours of course...)


My System SpecsSystem Spec
03 May 2009   #68
pjvex386

 

Thank you for you reply D.A. The tone of your post made me both pleased that you sounded like you had heard of this type of bug, and also worried because you sounded grave.

First, I ran the rundll command just as you typed it, and quickly my "Run" dialog box faded away, the mouse pointer "busy circle" spun for about 3 minutes.... I thought my system was going to crash. Then, as if nothing was wrong, everything just snapped back into working order. I double checked it what I had typed and it was correct. I would have tried running it a second time, but I thought I would have to restart my laptop. And in any regard, if I know this bug (this guy), he now has anticipated me doing this, and running that command again will have no effect. So, is there anything else I can to check BT? Also, is the dongle typically easy to remove like a wireless NIC, or does it vary from laptop to laptop?

There are many times in the past I have done something he or it did not like, but I got no second chances....two off the top of my head were i) when I realized under the DISKPART utility you could select a disk and type "clean all", and ii) when I figured out that if I reinstalled Win 7 from the command line and added the switch/modifier "/dudisabled" which disabled dynamic changes made to the installation process.... in each case when I tried it a second time..... there were no fireworks.... For instance, wHen I used "diskpart clean all" the second time, my disk light went on, it stayed on, but nothing inside was moving at all, and the light does not flicker the least bit...so I know that is merely a red herring.... (i.e., lights are on, but nobody's home), and secondly, if I try the switch "setup /dudisabled" now, I will always get a dialog box which says that the modifier "/dudisabled" is unrecognized and I get to sit at the blue screen that says "Setup is loading" until I restart.

I am telling you, it or he makes up errors ALL THE TIME... I could tell you at least 10 more errors I know are BS...but just responses so the PC seems somewhat legitmate.

And trust me, all my peripheral storage devices....from my WD back up drive, every flash drive, my ipod, my camera.... all of them will be thoroughly cleaned even that means I have to douse them with gasoline and set them on fire.


Paul
My System SpecsSystem Spec
03 May 2009   #69
pjvex386

 

My apologies, I forgot the process explorer shots. I used the sysinternals PROCEX64 utility....which has a lot of additional information. I did two pages so you could get full detail.

Also, I am attaching a print from the command line app "Tasklist /svc" which shows associated services running with the process in question, and also a print out of "Tasklist /M" which shows the dlls loaded for each process.


Also, just to see if I was right.... I ran the Rundll command again. This time, my laptop didn't even blink. I might as well have been yelling at it. No reaction whatsoever.

Paul

NB: browser is having problems... I will send attachments in the next post.... I am going to restart laptop.
My System SpecsSystem Spec
03 May 2009   #70
pjvex386

 

I think in retrospect that command you had me run did terminate my wireless connection. I didn't realize it, but that is why I had to restart my browser. I did not have to restart the PC.

I am attaching the documents mentioned in my last post. Remember that they are from after I ran the Rundll command that stopped BT.

Paul

Finally...they are attached... That rundll command did something which screwed up my connection.


Attached Thumbnails
This is a Security issue, but more!!!-procexp1.png   This is a Security issue, but more!!!-procexp2.png  
Attached Files
File Type: txt tasklistsvc.txt (4.6 KB, 27 views)
File Type: txt tasklistdll.txt (57.2 KB, 354 views)
My System SpecsSystem Spec
Closed Thread

 This is a Security issue, but more!!!




Thread Tools




Similar help and support threads
Thread Forum
Security issue: IE10 Security message when opening MSN
I normally use MSN as my home page when I browse with IE10 as my default browser. This morning when I checked my email I had a message that purported to be from Microsoft that stated thew following: Microsoft account Security alert We think that someone else might have accessed the...
Browsers & Mail
HELP File Security Issue!!!!!!!!
Hello everyone. New to the forum here. Glad to find one as great as this. Anyways heres the deal. I am trying to backup very important file from my Toshiba Satellite Laptop via external HD and flash drives. But it seems like every time I hook something up to it, it says write protected. So I...
General Discussion
Security Issue
Hi golden i have MWB as well and thought of myself as pretty secure however i let my parents get ahold of the comp and theres trojans and text files and crazy shiz neway i follow the path provided to where one of the virus's resided and low and behold i couldnt get to the dang cookies neway i...
System Security
Ad-Hoc Security Issue
Ok I hope you can help me out here. I'm convinced this is a security issue. From time to time my laptop drops wireless signal & when I try to re-connect to my router, I notice there's this available ad-hoc network to connect to called hp.nomodel etc... I of course have never connected to this...
System Security
Security Patch Issue
Belarc Advisor tells me that an important patch needs to be installed. It is Q2455033 which applies to MS Expression Encoder. When I go to the Windows Update site, I am informed that all is up-to-date. I cannot find a way to manually download this patch. Any ideas?
Windows Updates & Activation
Please help me! Security issue
Hi all.. sorry about the uppercase title but Im desperate.. I have a sony vaio windows 7, since Im 20 and my mom wanted to use my laptop at times I HAD to make her an independent account and manage my sharing and security settings, so I denied her account all permissions etc.. but now I cant...
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:11.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App