Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: This is a Security issue, but more!!!

03 May 2009   #71
Microsoft MVP

Windows 7 Ultimate 32bit SP1

My suggestion would be to stay off that computer untill you can wipe it and do a clean install with Win7 RC 7100 (Tuesday May, 5th public download). I would download the ISO from someone else's known 'clean' computer, then burn the image to a DVD.

As I said in the past, change all your passwords!

Get rid of that infected flash drive.... throw it away, buy a new one.

If you are showing all symptoms of Downadup.... that is also called Conficker.

My System SpecsSystem Spec
11 May 2009   #72

Windows 7 (Build 7068)

Application Host Helper Service? well start with removing that. Usually any helper service is an EXTREME security threat...also known as a BHO or Browser Helper Object...should be called a Browser Hacker Object. A program that does good at removing all BHO's is Vista Manager, but it does have some glitches with W7. Soon they will have a version for W7. Another thing that you might want to consider...your copy of W7...did you D'load it from Pirate Bay or BitTorrent? If so, delete it and find a copy from mininova where there are several user comments supporting the legitimacy of it. I hope that information might lead you in the right direction.

EDIT: The beta version for Windows 7 Manager is now avalable. Click Here to get it.
My System SpecsSystem Spec
11 May 2009   #73

Linux CENTOS 7 / various Windows OS'es and servers

Quote   Quote: Originally Posted by Jacee View Post
My suggestion would be to stay off that computer untill you can wipe it and do a clean install with Win7 RC 7100 (Tuesday May, 5th public download). I would download the ISO from someone else's known 'clean' computer, then burn the image to a DVD.

As I said in the past, change all your passwords!

Get rid of that infected flash drive.... throw it away, buy a new one.

If you are showing all symptoms of Downadup.... that is also called Conficker.

1) As well as reformatting the ENTIRE drive (delete ALL partitions on the disk) you must also do a SECURITY ERASE ON EVERY WRITEABLE SECTOR ON THE ENTIRE DISK.
In Particular the MBR on sector 0 must also be security erased.

There's plenty of utilities to do this -- just google security erase.

2) "Bin" the USB stick -- and get another one if you MUST use these type of devices. Security erasing these is a bit more tricky so I wouldn't bother -- just sling it.

3) Install a Live CD of say a Linux distro and run any AV software to check that your EMPTY computer is clean. This will also check that the disks don't contain ANY data before you start to install your OS.

I say use a Linux live CD as these are reasonably available -- Unless you can make something like a Bartpe or VistaPE type of live Windows CD then it's difficult to check your computer is CLEAN until you've installed an OS -- which itslef might not be clean.

(Any people designing AV software -- How about a Bootable stand alone version that can check a machine for infections WITHOUT having to run from say within Windows itself).

4) Install Windows from a 100% CLEAN install DVD / CD.

My System SpecsSystem Spec

11 May 2009   #74

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)

jimbo some of the big av companies do this if im not wrong...
avast is one
avast! BART CD - bootable antivirus and recovery CD

of course they are not free by chance (except some that run on linux...)
My System SpecsSystem Spec
11 May 2009   #75


I posted a 1000 word reply to everyone, but lost it because I had forgotten that I had taken my battery out of my laptop before I unplugged it to walk outside to get use an unsecured AP which I am using until my ISP comes monday (today). I take the battery out because it makes it easier to reboot cleanly by ensuring there is no charge still in the laptop which might be holding some code.

It was an interesting post. But the bottom line is that I have done what I can and I need to seek someone out in Chicago who can look at this. I replaced the hard drive and used factory disks that I ordered from HP without any other peripherals on my notebook, and the virus remains.

You can disbelieve all you want. But it is true. This is very very weird. Whatever you want to know though, I will provide. I have maybe 500 screenshots in Windows 7, Vista, Ubuntu and Mint Linux (both distros are Debian/Ubuntu based), all showing the craziest things you can imagine..... and pages and pages of handwritten notes over the last 4 months of this hell describing my theories and observations on this hijacking of my laptop. Been up for 72 hours with the first a reinstallation of the OS from the factory disks, and then two nights ago, I swapped out the hard drive. Since then I have thought of everything else in between---different steps I could take in the sequence from wiping to reinstalling and nothing has worked. This is like polio in the 1920s.

My System SpecsSystem Spec
11 May 2009   #76

7600.20510 x86

lol I've been following this thread in amazement and have come to the conclusion that it is God's way of telling you (and us too lol) that there is more to life than pcs and electronics.
My System SpecsSystem Spec
12 May 2009   #77


I am not so weary as I was when I wrote that last post. I am seriously having a very difficult time with this, and it is getting to me as I need this laptop for income. And having been in a financial crunch to begin with, after my first laptop I unloaded on some poor guy for $50, my parents bought me the new HP--and I feel terrible for them to have to buy me this laptop, spend $850, and then I get on the phone with them to tell them, exasperated why I cannot use my laptop with any real productivity. But they do not understand it. My dad thinks this "Linux" thing I installed must be some kind of a game that is causing it. They understandably cannot comprehend what I am dealing with (nor, I imagine can many of you).

I am not going to take this laptop to anyone only to pay $300 for what I can do if I know how. I did what was -- to me anyway -- the common sense thing. First I ordered the HP disks which were perfect and they contained windows and other software as disks like these do. For this first attempt, I did the following:

I unplugged the laptop, removed the battery, held down the power button for 30 seconds, then I left out the battery. and plugged the AC back in. I booted from a boot CD I obtained from a friend (it is not factory made--only burned, but my friend said he has used it countless times to recover drives or do whatever he needs to do). All I wanted to do was to wipe the drive (this would be my first drive on this laptop, a 250GB sata drive made by Toshiba. The application I used was called HDAT2, and it was the only one that showed all of the sectors which comprised the 250.06GB that was showing in system info in the parantheses--see earlier post). I watched for 55 minutes as my hard drive was being wiped. I only did 1 pass as wiping this drive is not so much for prevention of forensic recovery, only to get rid of a nasty bug.

I then used the factory hp disks for my vista install, which could not really be a problem, right, right? And before I did this, to double check the efficacy of my wipe, I hand checked using a sector editor to make sure all were zeroes. [didn't check every one obviously, but spot checked fairly thoroughly. You know what happens at the end of this story..... Nothing changes. But on a bright note, I did get to see and use for a brief moment all of the neat software from HP that came with the laptop originally.

So, I was tired enough from all of this and I read the helpful posts regarding a bootCD with a wipe utility and also one for virus removal. I did not want to take any chances and was so desperate, I thought, "hell with it" I will kill a spider with a brick of C4 (so to speak)... I went to Micro Center and got a WD 350GB sata drive. New. (I heard new meant "empty", so I thought that would be the end of it.)

In swapping out the hard drive, I did everything I did above, except I was in a basement, and for fun, I put electricians tape over the IR port. There was not a USB peripheral within 20 feet. My only regret now is that before putting in the new hard drive, I should have closed the laptop up and tried to reboot the machine from a clean Linux distro to see what happened, but I thought it was already overkill. I regret not checking that now.

Though I lost my screenshots (see below), I can tell you a bit more about what happened after VISTA came up after I installed it on the new drive. First, it came bundled with a 60 day trial of Norton. I activated the firewall, and then I turned on the wireless adapter to run a live update of virus definitions. Simultaneously, I ran windows update. Both had a lot of data to download--Norton had 12 mgs of updated definitions, windows had 44, most of which were "critical" or "important" . Norton finished first, and I gave windows update another 10 minutes to finish, and both processes required a restart which I did. Windows was able to install 3 updates out 44 (and the 41 that failed were all security updates). Norton seemed proud that it found 14 tracking cookies, but nothing else. Knowing this monster as I do, I ran Norton LiveUpdate a second time, and wow, look at that! Norton needed to download another 12 mgs of defintion updates! I know this is another red herring as everything I do on this laptop is... After norton ran a second time without finding anything. I restarted my PC, and opened up the history log on Norton. It stated that never had any updates been download, nor were there any scans that had been run since its intallation. Frankly, this was no surprise to me.

After writing 2 very long posts (one that I lost as described in my last post), and I lost the second because my wireless connection somehow stalled and my system freezes (this was last night). I was really at a dark point. But then I thought...if this is happening, people should know about it. I have the old Toshiba drive (which I almost wanted to remove from my laptop with a large forceps because in my mind it was so contaminated), and I now have the new drive just as contaminated, and I know all of the services and the methods that are vital to its survival. Unfortunately, the 500 screen shots I mentioned in my last post were on a flash drive that mysteriously became "degaussed" (i.e., it was blank, and unformatted and I tried to look at the sectors and they were zeroed-out. It happened at some point when I was using it in the laptop. It cannot take more than 15 minutes (or less even) to zero out a flash drive, and given the nature of this, I attribute it to my worm/virus/new roommate.

I was going to go today to a university (I am in Chicago), either Loyola, or Northwestern, or somewhere that had a decent Comp Sci department. I was hoping to see if I could find a professor or someone who could confirm this for me. I now needed to not only get rid of it, but to know that what happened -- actually happened.

Here are some questions for anyone reading this that I am currently thinking.....

Given all that I did, what is the liklihood that a) the offensive code in question is in the CMOS? [IMG]file:///C:/Users/connor/AppData/Local/Temp/moz-screenshot.jpg[/IMG]b) is there is someway to tunnel to my PC without it advertising or broadcasting my presence (or, in the alternative, can even a fresh, absolutely clean install of windows vista -- which does send out random advertisements of its adapters (and I do not know about bluetooth--how it functions upon install, or if the IR port can be used to receive BT) can an intruder access these devices if it has an address of some sort (like a MAC but for a software based adapter like ISATAP, or Teredo?

I took a few screen shots today, but my heart really is not into it after losing so many. They are as follows...(btw, they are not as spellbinding as the others, but they are not ordinary by any means).

Shots 1,3 and 4: I am trying to look at the flash drive which was coming up as "Needed to be formatted"). In shot 1, I show the flash drive properties dialog box, and under the hardware tab, it lists all the storage devices, I choose my flashdrive and click properties again here. A second dialog box opens which appears to be the actual properties of the flash drive (see shot 3). First, I click on the "Policies" tab, and there are no options (see shot fu4)...the optoins are greyed out..but I do not know if this is normal or not. Then I decide to click on the "Change Settings" button under the "General" tab of the properties box, and suddenly, this properties box disappears, and reappears in the upper left corner (see shot 4). Same box, but the button is gone. It seemed odd, and this window jumping thing happens all the time (along with boxes opening twice in immediate succession, but only one box remains when I click on it).

Shot bth just shows the bluetooth service running. Which I cannot shutdown -- I get "access denied".

Shots dsdsd and bs error show what happens when I try to run the setup of WIN 7 with the option switch /dudisabled. It starts fine, then I get the error.

Shot registry is under currentcomponentset/services/ and it shows all of the added keys besides your standard tcpip. Notice the ipv6tunnel.....

One last thing for any of you who are naysayers. What this bug does is allow someone access to anything I am doing with this laptop. That is if windows is on it (well, that is a theory, which is why tonight, I may remove the hard drive and boot from a Linux Distro -- anyone know a good distro that does not install with auto-SSH agents enabled????) then my laptop can be accessed. I do not care if I boot from any other applicatino or OS, sooner or later it manages to get into it. WIth Linux for example, I am certain that during the live CD boot, it can stop and start files, move them in the foreground and background, and change things so whether it is LIVE or a full install , I may be called root, but I am userid "1000", which is not root. I see during installations that init is changed to multiuser... this is in harmony with the consistent system crashes I get when I enter Telinit 1 or Telinit S in a terminal. In Linux, it is using the X-Org server. I am not terribly well versed in Linux and do not know enough about it. But I know that someone does. Commands and devices dissappear (although he has not been able to make a Builtin command go away).

So, if this theory (but it my firm belief) that he/she/it can get into the boot process of a linux distro, why can't it also get involved in a Windows installation, or a windows boot process?

Also, I wanted to add that the devilishly clever fiend behind this delays the end of startup screens in order to give him/her time to do whatever it needs to do. Once I was watching windows "update"... it was the standard screen with two lines: "Windows is configuring your updates" and "Stage X of Y - XX% completed". And in the midst of this. I hear the familiar windows tone which indicates there should be a login screen in front of me. I hit ctrl-alt-del, and the update screen disappears and there is my login screen. Is this a software bug??? Also, I have been told -- out of the blue on startup -- that one my drives needs to be checked for consistency. Chkdsk runs, but the disklight does not comeone at all. Not once. Then, bootup continues. If I wanted to give myself time to configure things to my favor, I would do something like this. I just think I am a little more perceptive (or paranoid).

There doesn't seem to exist anyway I can isolate and run a process, i.e. lock it, so no one else can touch it until it completes.

Thank you very much for your help,


NB: If you note that this post seems a bit jaded and dejected, then you are perceptive.

Attached Thumbnails
This is a Security issue, but more!!!-1.jpg   This is a Security issue, but more!!!-3.jpg   This is a Security issue, but more!!!-4.jpg   This is a Security issue, but more!!!-connection.png   This is a Security issue, but more!!!-fu4.jpg  

This is a Security issue, but more!!!-limited-access.png   This is a Security issue, but more!!!-registry.png   This is a Security issue, but more!!!-taskman-install.jpg   This is a Security issue, but more!!!-battery.jpg   This is a Security issue, but more!!!-dsdsd.jpg  

This is a Security issue, but more!!!-bs-error.jpg  
My System SpecsSystem Spec
12 May 2009   #78

7600.20510 x86

Have you considered building a Faraday cage?
My System SpecsSystem Spec
12 May 2009   #79

Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)

answering your questions..
a) it cannot being in your cmos...
1st because the attacker would have to have access to the cmos source (i take it you dont know this is a corporate secret so to speak)
2nd and if he did acces the source there is not enough storage in your cmos to be able to handle both a virus and a cmos
and 3rd because most have so to say security features which check if the bios (this is the actually software Cmos is the chip/s that contain it) file came from from the manufacturer....

as to the broadcasting (that is the proper term) problem the only thing you can do is go into safe mode disable all the adapters except the ethernet (do not for whatever reason disable any of the network adapters that are hidden (remember this is a clean install...) then restart and only and only use ethernet to connect...
unless he has access to the plans of the building and is able to cut thru the building walls then he cannot have access since you have a clean system (and is only if you have a clean system)
any kind of wireless technology broadcasts out (execpt for bluetooth as the spec specifically say that the user must initiate the connection and both users must accept as the computer is not discoverable, we covered this before and then and only then is the radio is disabled (which is by default...) so there is no way (unless the entity is already in the computer in which such change is fruitless and the best thing to do is reinstall...) the key here is that it encrypts most of the data so if you are using WPA-CCMP or WPA2-CCMP (which uses AES as the base for encryption which as of this moment has been been cracked, and my guess it wont be until a number of years later but by that time we will have AES2...:))
and please do not (if you already have delete these files),download torrent files/p2p/warez as this can be a product of a trojan that is self installing on your pc as you access these files...

and i cannot understand why you are using /DUdisable...
this command was only for NT 5.x....
NT 6.x does not use these commands and uses different syntax....
okay download this Prio - Priority Saver
and install it...
now restart and look at the task manager and look at look at the process tab....
you will see a bunch of green and red higlighting on the each process..
can you detail which ones are in red?
My System SpecsSystem Spec
12 May 2009   #80

El Capitan / Windows 10

I'll be truthful and admit that I've not read absolutely this entire thread but so far I'm seeing a couple problems. If you're convinced that someone is getting to you wirelessly, why haven't you disabled wireless, bluetooth and ethernet (for good measure) in the BIOS prior to a nice boot from readonly media (DVD burned from a known clean machine) followed by destruction of the execution path. That's a simple as shift+f10 at the first screen of the Windows 7 installer (again off readonly media) and a few commands available from it. Then install and don't plug ANYTHING with storage into the box and test. That means no network of any kind and no external storage. If you still get "infected" then I'll drive on up to where you're at and fix it. You see, I am in the Chicago area and I am a computer science instructor.

The other thing I've noticed is that you seem to change several variables between tests when troubleshooting. You cannot perform root cause analysis that way. Your results can never be 100% trusted.
My System SpecsSystem Spec
Closed Thread

 This is a Security issue, but more!!!

Thread Tools

Similar help and support threads
Thread Forum
Security issue: IE10 Security message when opening MSN
I normally use MSN as my home page when I browse with IE10 as my default browser. This morning when I checked my email I had a message that purported to be from Microsoft that stated thew following: Microsoft account Security alert We think that someone else might have accessed the...
Browsers & Mail
Security Issue
Hi golden i have MWB as well and thought of myself as pretty secure however i let my parents get ahold of the comp and theres trojans and text files and crazy shiz neway i follow the path provided to where one of the virus's resided and low and behold i couldnt get to the dang cookies neway i...
System Security
Ad-Hoc Security Issue
Ok I hope you can help me out here. I'm convinced this is a security issue. From time to time my laptop drops wireless signal & when I try to re-connect to my router, I notice there's this available ad-hoc network to connect to called hp.nomodel etc... I of course have never connected to this...
System Security
Please help me! Security issue
Hi all.. sorry about the uppercase title but Im desperate.. I have a sony vaio windows 7, since Im 20 and my mom wanted to use my laptop at times I HAD to make her an independent account and manage my sharing and security settings, so I denied her account all permissions etc.. but now I cant...
Network & Sharing
Urgent!!! security issue
I apologise if i am posting this in the wrong place but this is quite urgent. 2 of my accounts have just been hacked,, and it seems my windows live account had a hack attempt on it. I am trying to reset my passwords, but i beleive there is either a keylogger on the pc or smth wrong with windows...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 19:51.
Twitter Facebook Google+