This is a Security issue, but more!!!

Dwarf · 02 May 2009

Hi Paul,

Thanks for clearing up my suspicions with that directory. I don't have HP (home built PC), so I hadn't come across it before, which is why I flagged it up.

There is a folder Installer on the drive, but it is a sub-folder of the Windows folder. This looks normal (if it is in that location - elsewhere is suspicious). When you hover over these files, what does the pop-up say (note that not all have such a pop-up)?

Finally, what security issues have you got, as the flag is showing that you have some problems?

pjvex386 · 02 May 2009

Dwarf:

I edited my post as I realized my error. But this directory is unusual insofar as its contents. The subfolder is hidden, but I can look at the files at the command line after I run attrib. Here is the output for c:\windows\attrib -a -h -s -i *.*:

Access denied - C:\Windows\bfsvc.exe
Access denied - C:\Windows\explorer.exe
Access denied - C:\Windows\fveupdate.exe
Access denied - C:\Windows\HelpPane.exe
Access denied - C:\Windows\hh.exe
Access denied - C:\Windows\mib.bin
Access denied - C:\Windows\notepad.exe
Access denied - C:\Windows\regedit.exe
Access denied - C:\Windows\splwow64.exe
Access denied - C:\Windows\twain.dll
Access denied - C:\Windows\twain_32.dll
Access denied - C:\Windows\twunk_16.exe
Access denied - C:\Windows\twunk_32.exe
Access denied - C:\Windows\winhlp32.exe
Access denied - C:\Windows\WMSysPr9.prx
Access denied - C:\Windows\write.exe

Then once I switch to the installer directory, I run the same attrib command with no problem. So here is the contents of the c:\windows\installer (hidden) directory.

Volume in drive C has no label.
Volume Serial Number is A269-346A

Directory of C:\Windows\Installer

05/02/2009 11:07 AM <DIR> .
05/02/2009 11:07 AM <DIR> ..
05/01/2009 05:13 PM <DIR> $PatchCache$
06/12/2008 08:24 AM 6,626,304 12df686.msi
06/12/2008 08:24 AM 2,349,056 12df68c.msi
12/19/2005 10:52 PM 6,019,584 18ea727.msi
07/29/2008 12:55 PM 242,176 1bb3d9.msi
01/08/2009 02:30 PM 14,909,440 1bb3df.msi
03/20/2009 05:18 PM 3,998,208 1bb3ed.msi
09/19/2008 11:34 PM 3,899,392 1bb3f3.msi
08/26/2008 03:45 AM 5,426,688 1bb3f9.msi
08/14/2008 07:01 PM 3,213,824 1bb3ff.msi
08/08/2008 02:44 AM 3,106,816 1bb405.msi
08/08/2008 02:46 AM 3,106,816 1bb40b.msi
07/29/2008 02:13 AM 3,108,864 1bb412.msi
08/31/2008 05:15 AM 3,772,416 1bb418.msi
07/31/2008 11:53 PM 5,470,728 1bb41e.msi
08/01/2008 11:13 PM 3,129,344 1bb424.msi
07/28/2008 04:08 PM 3,115,520 1bb42a.msi
08/04/2008 09:33 PM 3,110,912 1bb430.msi
07/29/2008 12:56 PM 3,111,936 1bb436.msi
08/29/2008 06:57 AM 3,737,088 1bb43c.msi
07/31/2008 06:39 AM 3,181,568 1bb442.msi
08/01/2008 10:29 PM 3,115,008 1bb448.msi
05/29/2008 10:04 AM 29,696 1bb44e.msi
08/25/2008 09:58 PM 3,146,240 1bb454.msi
08/14/2008 07:18 PM 3,121,664 1bb45a.msi
07/29/2008 02:06 AM 3,109,376 1bb460.msi
07/29/2008 01:48 AM 3,108,864 1bb467.msi
07/29/2008 01:53 AM 3,109,888 1bb46e.msi
07/29/2008 02:04 AM 3,109,376 1bb475.msi
08/12/2008 06:12 PM 3,108,864 1bb47b.msi
08/06/2008 09:52 PM 6,025,728 1bb482.msi
08/14/2008 07:22 PM 3,119,104 1bb488.msi
05/01/2009 02:04 PM 24,064 1bb496.msi
07/29/2008 02:47 AM 3,122,688 1bb49c.msi
09/19/2008 11:33 PM 3,112,448 1bb4a2.msi
07/29/2008 03:03 AM 3,119,104 1bb4a8.msi
09/12/2008 10:54 PM 4,936,192 1bb4ae.msi
08/12/2008 10:39 AM 4,930,048 1bb4b5.msi
08/01/2008 01:23 AM 3,134,464 1bb4bc.msi
08/13/2008 10:16 PM 3,124,736 1bb4c2.msi
08/14/2008 07:15 PM 3,761,664 1bb4c8.msi
08/29/2008 06:42 AM 3,319,296 1bb4ce.msi
08/25/2008 10:05 PM 3,146,240 1bb4d4.msi
07/29/2008 02:17 AM 3,131,904 1bb4da.msi
07/29/2008 02:32 AM 3,131,392 1bb4e0.msi
07/26/2008 05:37 AM 3,152,384 1bb4e6.msi
07/26/2008 05:39 AM 3,152,384 1bb4ec.msi
07/29/2008 02:55 AM 3,122,688 1bb4f2.msi
07/29/2008 03:06 AM 3,119,104 1bb4f8.msi
07/26/2008 05:49 AM 3,112,448 1bb4fe.msi
07/26/2008 05:53 AM 3,112,448 1bb504.msi
08/14/2008 01:06 AM 3,113,984 1bb50a.msi
09/19/2008 11:34 PM 3,121,152 1bb511.msi
09/19/2008 11:23 PM 5,850,624 1bb517.msi
09/19/2008 11:30 PM 6,215,680 1bb51d.msi
05/01/2009 02:25 PM 68,519,424 1bb522.msi
04/02/2009 04:09 PM 14,265,344 2eadf.msi
04/02/2009 04:10 PM 2,083,840 2eae5.msi
04/02/2009 04:09 PM 27,953,664 2eaeb.msi
04/02/2009 04:09 PM 2,713,088 2eaf1.msi
04/02/2009 04:29 PM 41,832,960 2eaf5.msi
05/02/2009 02:11 AM 12,253,184 dccc99.msi
05/01/2009 05:12 PM 0 wix{BA1035C7-14DE-4857-8285-4ACFC74172EC}.SchedServiceConfig.rmi (previously this was a midi file under filetype)
05/01/2009 02:03 PM <DIR> {00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
05/01/2009 02:03 PM <DIR> {0D6013AB-A0C7-41DC-973C-E93129C9A29F}
05/01/2009 05:12 PM <DIR> {216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
05/02/2009 02:13 AM <DIR> {26A24AE4-039D-4CA4-87B4-2F83216013FF}
05/01/2009 02:05 PM <DIR> {35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
05/01/2009 02:25 PM <DIR> {37EA4EB5-2C4D-40CC-9EB1-762F1711ECDE}
05/01/2009 02:03 PM <DIR> {5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
05/01/2009 02:04 PM <DIR> {67F0E67A-8E93-4C2C-B29D-47C48262738A}
05/01/2009 05:12 PM <DIR> {6956856F-B6B3-4BE0-BA0B-8F495BE32033}
05/01/2009 01:45 PM <DIR> {889450B1-87C5-4A38-B766-DBBC9845EABE}
05/02/2009 11:06 AM <DIR> {90110409-6000-11D3-8CFE-0150048383C9}
05/02/2009 09:24 AM <DIR> {AC76BA86-1033-F400-7761-000000000004}
05/01/2009 05:13 PM <DIR> {AE303591-1BFC-48B3-881B-655298C4EDE0}
05/01/2009 05:12 PM <DIR> {BA1035C7-14DE-4857-8285-4ACFC74172EC}
05/01/2009 02:01 PM <DIR> {C52E3EC1-048C-45E1-8D53-10B0C6509683}
05/01/2009 05:12 PM <DIR> {DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}
05/01/2009 01:51 PM <DIR> {DCCAD079-F92C-44DA-B258-624FC6517A5A}
05/01/2009 02:08 PM <DIR> {E4848436-0345-47E2-B648-8B522FCDA623}
62 File(s) 367,429,128 bytes
21 Dir(s) 228,082,671,616 bytes free

I do not know if the file above was a midi file or not (but it did say this under file type), and when I tried to run it in WMP, it was unable to play it, and when I ran it with VLC, it immediately said I needed a version which corrected a bug that caused problems with multi-screen systems. In the two screenshots of the installer directory from Windows, I see the what now looks rather benign.
[IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot.jpg[/IMG][IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-1.jpg[/IMG] [[EDIT: Note: I did not type this (purple text) into this post. Is this automated text? Further, when I saved them, I saved them as .png files from paint. Perhpas this is just the "prt sc" default directory and filetype.. I thought I would mention this anyway since I was unsure]

Also, while I have installed WIN7 (build 7077) for 64 bit, I keep getting errors that I am not running a 64 bit platform, but rather a 32 bit platform. What type of virtualization programs exist which someone could use to bridge 32 bit applications to 64 bit? Does it emulate a 32 bit machine/OS?

Paul

pjvex386 · 02 May 2009

DWARF:

To answer your last question re the action center flag. It says that I need AV software... which I describe in my last post as an impossible feat (and even if I do manage to get an AV application installed, I am notified every 2 minutes to "Turn On" firewall protection. I keep turning it on, but it continues to tell me it is not on.

Second the action center says that Windows Defender needs to be run (among other things -- see screenshot of action center). I have never seen windows defender run nor update (and there are never any windows updates either). But oddly, have a look at this log file from c:\windows\temp. File is called "MpCmdRun.log". And it appears that Defender is running (and quite frequently too):

[IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-2.jpg[/IMG][IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot-3.jpg[/IMG]
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob
Start Time: Fri May 01 2009 13:50:34

Start: Signatures Update Service
Update Started
Search Started (windows update)...
Time Info - Fri May 01 2009 13:50:48 Search Completed
Download Started...
Download Progress-
Update Index:0 of 1 - 0%
Download Progress-
Update Index:0 of 1 - 0%
Time Info - Fri May 01 2009 13:51:06 Download Progress-
Update Index:0 of 1 - 2%
Time Info - Fri May 01 2009 13:51:18 Download Progress-
Update Index:0 of 1 - 4%
Time Info - Fri May 01 2009 13:51:29 Download Progress-
Update Index:0 of 1 - 6%
Time Info - Fri May 01 2009 13:51:39 Download Progress-
Update Index:0 of 1 - 8%
Time Info - Fri May 01 2009 13:51:49 Download Progress-
Update Index:0 of 1 - 10%
Time Info - Fri May 01 2009 13:52:01 Download Progress-
Update Index:0 of 1 - 13%
Time Info - Fri May 01 2009 13:52:13 Download Progress-
Update Index:0 of 1 - 15%
Time Info - Fri May 01 2009 13:52:29 Download Progress-
Update Index:0 of 1 - 17%
Time Info - Fri May 01 2009 13:52:42 Download Progress-
Update Index:0 of 1 - 19%
Time Info - Fri May 01 2009 13:52:54 Download Progress-
Update Index:0 of 1 - 21%
Time Info - Fri May 01 2009 13:53:05 Download Progress-
Update Index:0 of 1 - 23%
Time Info - Fri May 01 2009 13:53:18 Download Progress-
Update Index:0 of 1 - 26%
Time Info - Fri May 01 2009 13:53:33 Download Progress-
Update Index:0 of 1 - 28%
Time Info - Fri May 01 2009 13:53:48 Download Progress-
Update Index:0 of 1 - 30%
Time Info - Fri May 01 2009 13:54:00 Download Progress-
Update Index:0 of 1 - 32%
Time Info - Fri May 01 2009 13:54:14 Download Progress-
Update Index:0 of 1 - 34%
Time Info - Fri May 01 2009 13:54:28 Download Progress-
Update Index:0 of 1 - 36%
Time Info - Fri May 01 2009 13:54:43 Download Progress-
Update Index:0 of 1 - 39%
Time Info - Fri May 01 2009 13:54:59 Download Progress-
Update Index:0 of 1 - 41%
Time Info - Fri May 01 2009 13:55:12 Download Progress-
Update Index:0 of 1 - 43%
Time Info - Fri May 01 2009 13:55:32 Download Progress-
Update Index:0 of 1 - 45%
Time Info - Fri May 01 2009 13:55:47 Download Progress-
Update Index:0 of 1 - 47%
Time Info - Fri May 01 2009 13:56:00 Download Progress-
Update Index:0 of 1 - 49%
Time Info - Fri May 01 2009 13:56:13 Download Progress-
Update Index:0 of 1 - 52%
Time Info - Fri May 01 2009 13:56:27 Download Progress-
Update Index:0 of 1 - 54%
Time Info - Fri May 01 2009 13:56:40 Download Progress-
Update Index:0 of 1 - 56%
Time Info - Fri May 01 2009 13:56:54 Download Progress-
Update Index:0 of 1 - 58%
Time Info - Fri May 01 2009 13:57:07 Download Progress-
Update Index:0 of 1 - 60%
Time Info - Fri May 01 2009 13:57:23 Download Progress-
Update Index:0 of 1 - 62%
Time Info - Fri May 01 2009 13:57:36 Download Progress-
Update Index:0 of 1 - 65%
Time Info - Fri May 01 2009 13:57:51 Download Progress-
Update Index:0 of 1 - 67%
Time Info - Fri May 01 2009 13:58:06 Download Progress-
Update Index:0 of 1 - 69%
Time Info - Fri May 01 2009 13:58:23 Download Progress-
Update Index:0 of 1 - 71%
Time Info - Fri May 01 2009 13:58:37 Download Progress-
Update Index:0 of 1 - 73%
Time Info - Fri May 01 2009 13:58:48 Download Progress-
Update Index:0 of 1 - 76%
Time Info - Fri May 01 2009 13:58:58 Download Progress-
Update Index:0 of 1 - 78%
Download Progress-
Update Index:0 of 1 - 80%
Time Info - Fri May 01 2009 13:59:20 Download Progress-
Update Index:0 of 1 - 82%
Time Info - Fri May 01 2009 13:59:37 Download Progress-
Update Index:0 of 1 - 84%
Time Info - Fri May 01 2009 13:59:55 Download Progress-
Update Index:0 of 1 - 86%
Time Info - Fri May 01 2009 14:00:13 Download Progress-
Update Index:0 of 1 - 89%
Time Info - Fri May 01 2009 14:00:29 Download Progress-
Update Index:0 of 1 - 91%
Time Info - Fri May 01 2009 14:00:46 Download Progress-
Update Index:0 of 1 - 93%
Time Info - Fri May 01 2009 14:01:03 Download Progress-
Update Index:0 of 1 - 95%
Time Info - Fri May 01 2009 14:01:16 Download Progress-
Update Index:0 of 1 - 97%
Time Info - Fri May 01 2009 14:01:29 Download Progress-
Update Index:0 of 1 - 99%
Download Progress-
Update Index:0 of 1 - 100%
Download Progress-
Update Index:0 of 1 - 100%
Download Completed
Installation Started...
Installation Progress-
Percent Complete:0,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:0,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:100,
Current Update Index:0 (of 1)
Installation Progress-
Percent Complete:100,
Current Update Index:0 (of 1)
Installation Completed
Update completed succesfuly
End: Signatures Update Service
MpCmdRun: End Time: Fri May 01 2009 14:01:38
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 688A2260-A1E7-BC35-ACC9-AF5ACB4EA416
Start Time: Fri May 01 2009 14:12:12

MpCmdRun: End Time: Fri May 01 2009 14:12:12
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 18C2F5F8-6472-70D3-3A85-F0AA2C3F9294
Start Time: Fri May 01 2009 14:22:37

MpCmdRun: End Time: Fri May 01 2009 14:22:37
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey A435D565-CD56-08AF-CD7C-C681E37DB9A2
Start Time: Fri May 01 2009 14:33:38

MpCmdRun: End Time: Fri May 01 2009 14:33:38
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 0D469D41-B778-B13A-662B-D12CC3991065
Start Time: Fri May 01 2009 17:52:33

MpCmdRun: End Time: Fri May 01 2009 17:52:33
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey C3997AFA-AA96-A7D7-EC02-A7D94A4F4055
Start Time: Sat May 02 2009 00:12:00

MpCmdRun: End Time: Sat May 02 2009 00:12:00
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 2D4A620D-37E0-105E-7F92-E1C303AE73F8
Start Time: Sat May 02 2009 00:22:06

MpCmdRun: End Time: Sat May 02 2009 00:22:06
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey F54A173C-EDB0-E5CD-F0A3-B8C413D1C8C5
Start Time: Sat May 02 2009 01:17:34

MpCmdRun: End Time: Sat May 02 2009 01:17:35
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey D87F1E2A-8FF4-B11E-E964-DE98DCC8C22A
Start Time: Sat May 02 2009 02:09:46

MpCmdRun: End Time: Sat May 02 2009 02:09:46
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 732C2C66-487D-7964-9980-83E8D7B071C5
Start Time: Sat May 02 2009 02:29:51

MpCmdRun: End Time: Sat May 02 2009 02:29:51
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 60D00063-68E2-0758-599B-5294687728A4
Start Time: Sat May 02 2009 02:40:26

MpCmdRun: End Time: Sat May 02 2009 02:40:26
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 96902F4A-6420-41A4-D662-7C7EA173ACAB
Start Time: Sat May 02 2009 03:23:09

MpCmdRun: End Time: Sat May 02 2009 03:23:09
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 348685F5-9768-82F5-9535-666BE0A0835C
Start Time: Sat May 02 2009 03:33:20

MpCmdRun: End Time: Sat May 02 2009 03:33:20
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 3060F66B-75D3-3834-01FB-CC858D38C4BD
Start Time: Sat May 02 2009 09:26:28

MpCmdRun: End Time: Sat May 02 2009 09:26:28
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 625A7DED-3E72-02A3-F807-0D4315E4F10A
Start Time: Sat May 02 2009 09:36:16

MpCmdRun: End Time: Sat May 02 2009 09:36:16
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 2DD73736-4A9E-AA1B-FE5A-2ECBE7DAB6F3
Start Time: Sat May 02 2009 10:34:13

MpCmdRun: End Time: Sat May 02 2009 10:34:13
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 44D40EB4-9B70-2A34-412C-7BEDED998283
Start Time: Sat May 02 2009 11:04:16

MpCmdRun: End Time: Sat May 02 2009 11:04:16
-------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "c:\program files\windows defender\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey A2A5B72E-62B5-C6BC-7E12-C7124817AF81
Start Time: Sat May 02 2009 13:32:27

MpCmdRun: End Time: Sat May 02 2009 13:32:27
-------------------------------------------------------------------------------------

And when I look at the securities tab of this log file, why are the administrators group and the system group shared??? [See screenshot called defenderlog.]

Paul

ccatlett1984 · 02 May 2009

go into the bios and turn off the bluetooth radio if your that paranoid, while yes with a really high power signal you can broadcast for quite some distance, its not happening with your laptop. It would be simple one-way communication if only "his" end had the high power radio. Since you claim that he knows what you are doing, then this can't be the case as your laptop doesnt have that kind of transmit power.

If you are this concerned with it, just pop the hard drive out and nuke it in another machine prior to re-installing the OS. You can get all the drivers you need from www.hp.com/#support/

Might i suggest an end to all this wonderful madness, just sell the damned laptop to someone else and get a different one.

pjvex386 · 02 May 2009

Thank you for your reply....

Unfortunately, my bios does not have bluetooth radio. And what I am suggesting is that the trojan broadcasts an address long enough for the UDP packets to pass through any near enough AP to connect. Then with that connection (this is why I was so confused earlier because I would just get near a wifi router and I would see familiar TCP/UDP routes..... every time..

And, I did dump my old laptop....sold it for $50.

Then after a week I got a new one, and because I had been using a flash drive in the old laptop and then at internet cafe's -- I completely spaced and put it in the new laptop. The framework of this virus is a lot like "Downadup". If you go to the Norton page on this virus it refers to fake or created services from certain combinations of keywords. I have almost every one of these services...

And I WANT to stop the madness, except HP doesn't ahve a bootable iso -- which I know I could do by unpacking the drivers and creating a boot CD, but HP does not put all the drivers needed on their download boards. For example my SATA drive is a Toshiba...but on the page at HP for my model, there is only a driver for certain models which had a Hitachi drive....

So, I ordered the damn disks...and hopefully I wil be through with this.

But, after trying Spotmau wipe, Darik Boot and Nuke, and a few others, the freeware from HDDguru -- all without success because they are recognized and hooked and made inoperable before they can run properly.....

So, before I remove the HD, and find another machine to wipe it, if someone can suggest a good but perhaps not so well known utility...I would appreciate it.

Thanks again for everyone's help. I know this is annoying...but like I said, it is like having a new roommate that you are not particularly fond of-- day after day.

Paul

Uber Philf · 02 May 2009

id have to say, disable your wireless, change ur password for your Ap, they could use that to get into your laptop, as angryman said earlier.

darkassain · 03 May 2009

first all can you show us a process explorer log or a pic of it?
for the bluetooth
goto start and type run
there type this...
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL bthprops.cpl,,1
you should come up with the blutooth control panel
follow this..

This is a Security issue, but more!!!-blutooth.png

it should completely disable blutooth and letting you at the same time advise you if nye
you have done the down
check it every few minutes and see if it changing...
is this laptop under warranty?
if not what i would do is this...
i would do physically remove it (the bluetooth dongle)...
that would end the whole blutooth hole in your security...
also boot up under a linux live cd and repartition *everything* that touched your old computer....
(i mean everything, that is yours of course...)

pjvex386 · 03 May 2009

Thank you for you reply D.A. The tone of your post made me both pleased that you sounded like you had heard of this type of bug, and also worried because you sounded grave.

First, I ran the rundll command just as you typed it, and quickly my "Run" dialog box faded away, the mouse pointer "busy circle" spun for about 3 minutes.... I thought my system was going to crash. Then, as if nothing was wrong, everything just snapped back into working order. I double checked it what I had typed and it was correct. I would have tried running it a second time, but I thought I would have to restart my laptop. And in any regard, if I know this bug (this guy), he now has anticipated me doing this, and running that command again will have no effect. So, is there anything else I can to check BT? Also, is the dongle typically easy to remove like a wireless NIC, or does it vary from laptop to laptop?

There are many times in the past I have done something he or it did not like, but I got no second chances....two off the top of my head were i) when I realized under the DISKPART utility you could select a disk and type "clean all", and ii) when I figured out that if I reinstalled Win 7 from the command line and added the switch/modifier "/dudisabled" which disabled dynamic changes made to the installation process.... in each case when I tried it a second time..... there were no fireworks.... For instance, wHen I used "diskpart clean all" the second time, my disk light went on, it stayed on, but nothing inside was moving at all, and the light does not flicker the least bit...so I know that is merely a red herring.... (i.e., lights are on, but nobody's home), and secondly, if I try the switch "setup /dudisabled" now, I will always get a dialog box which says that the modifier "/dudisabled" is unrecognized and I get to sit at the blue screen that says "Setup is loading" until I restart.

I am telling you, it or he makes up errors ALL THE TIME... I could tell you at least 10 more errors I know are BS...but just responses so the PC seems somewhat legitmate.

And trust me, all my peripheral storage devices....from my WD back up drive, every flash drive, my ipod, my camera.... all of them will be thoroughly cleaned even that means I have to douse them with gasoline and set them on fire.

Paul

pjvex386 · 03 May 2009

My apologies, I forgot the process explorer shots. I used the sysinternals PROCEX64 utility....which has a lot of additional information. I did two pages so you could get full detail.

Also, I am attaching a print from the command line app "Tasklist /svc" which shows associated services running with the process in question, and also a print out of "Tasklist /M" which shows the dlls loaded for each process.

Also, just to see if I was right.... I ran the Rundll command again. This time, my laptop didn't even blink. I might as well have been yelling at it. No reaction whatsoever.

Paul

NB: browser is having problems... I will send attachments in the next post.... I am going to restart laptop.

pjvex386 · 03 May 2009

I think in retrospect that command you had me run did terminate my wireless connection. I didn't realize it, but that is why I had to restart my browser. I did not have to restart the PC.

I am attaching the documents mentioned in my last post. Remember that they are from after I ran the Rundll command that stopped BT.

Paul

Finally...they are attached... That rundll command did something which screwed up my connection.