This is a Security issue, but more!!!

Here is a screenshot in Linux where I know he is in addition to Windows. To anyone with strong Linux skills who knows precisely what "ps a" was designed as a command to show the user, tell me what it is in fact, showing us?

I can get around in Linux but do not have the same knowledge that I have in Windows.. the man page for ps a states the following (for option/switch "a"), which is too confusing for me....

a - Lift the BSD-style "only yourself" restriction, which
is imposed upon the set of all processes when some
BSD-style (without "-") options are used or when the ps
personality setting is BSD-like. The set of processes
selected in this manner is in addition to the set of
processes selected by other means. An alternate
description is that this option causes ps to list all
processes with a terminal (tty), or to list all
processes when used together with the x option.


Note in the screenshot that the X11 process is the only one that has a timestamp -- good evidence running to the possibility that it is from another machine. And X11 is a terminal emulator. I did not want to describe anything I didn't know, so I pasted this from a Linux site.

GlossaryThe X Window System was specifically designed to allow the graphical output of a program running on one machine to appear on a different machine, possibly one that is physically remote and/or a different make and architecture. In other words, X11 was designed to be a platform-independent, networked graphics framework.


In X11 parlance, the "display" denotes the box on which the graphical output will appear. Interestingly, an individual display is defined by the X11 documentation as having exactly one keyboard and one pointer (i.e., mouse), but potentially multiple CPUs, monitors, etc.


The "screen" corresponds to the actual physical display device; in most cases this will be a monitor. X11 allows for an arbitrary number of screens to be connected to each display. Think of a workstation with two monitors or a departmental server, connected to a larger number of (relatively dumb) X terminals.

Jacee: Until I get back into Windows, this is the best evidence I have of another machine networked to mine. I hope to get back in soon... I do not know if I want to reinstall everything on a clean drive or just install 7 (which still keeps the old system on the root, correct?). I have used this particular installation for a few days now and I would like to retrieve some things from it.

Also, I want to tell of at least one added observation I had in the course of the last 12 hours. While in Linux (or at some other time, but based on what I will describe shortly, the time requirements must have been such that I had to have the laptop on and not be in Windows, and it is not too frequent that I am in Linux for the several hours I was last night reading from MSDN.

When I left Linux and tried to start windows, I found that I came to a black screen about 10 seconds after BIOS. I was surprised also that no function keys except F10 worked during the BIOS startup, UNLESS I entered BIOS using F10, loaded default settings, saved them, and came back out to restart. Then I could use function keys--one of which is a shortcut menu to modify the boot sequence--so I could force the PC to go to the CD, since the CD/DVD drive, which had a bootable CD in it, was not being accessed although it has long since been ordered to boot from floppy, CD, USB, then HD. The floppy had been disabled (I don't have one, but it is just an observation) as well.

When I finally got to the Windows 7 PE environment, I opened notepad to look around at the volumes. My Recovery partition, which is to restore my system to factory settings and image, had been decimated and moved. Well, it was copied. There were four log files in the Windows directory of the now mostly empty Recovery directory. They showed that a script had run to move certain Windows elements to another volume which had been assign the letter D. Anything else was deleted. Also, there was another log file that had about 30 lines showing "PRELOAD BASEX.wim" where X was sequentially numbered starting from 1. So this explained to me how he is always there before me ready to go. He has all of his functionality which I do not have before I even login to Windows. Now here is one coincidence that is very unfortunate: I immediately thought to grab those log files. But, I was in PE, and I think I mentioned that my WD backup drive--usually always connected--is not working right now. If memory serves, USB flash drives were always recognized in PE, but today, I could not get one to show up. I even used a new one which I had been saving for the day that I was rid of this problem and if I needed a flash drive I would have a clean one available. But I could do nothing. I do not know how to burn a CD from the command line -- nor if it is even possible from PE, but I would have done that. I was stuck looking at the best evidence yet of the existence of something that showed more than a typical virus' sense of purpose, and I could not copy it or move it to post it here. Sorry. I hope this type of thing never happens again, or I surely will go crazy. During this I had the dreadful thought that even if I actually met Baarod for his help my laptop would somehow seem as if nothing out of the ordinary was taking place. But I do not think that will happen as there have been far more times when I have not had any problems taking a screenshot, pasting it into Paint, then saving it to a flash drive for safe-keeping...

Another point I confirmed was when I was in Linux today, I did a command which shows active and running hardware. One line in particular caught my eye. It said "Kernel, time since start=22:10". Which means the CPU had been with power for 22 hours. This is twice now I have observed in either Windows or Linux, that my PC has been "on" or, with power, far longer than I have realized.

Yesterday, prior to my reading MSDN, I left my house with my laptop and took a walk. I was hoping to avoid going to find another PC to create a bootable AV CD as I intended originally. I thought if I changed location and kept moving, perhaps I could boot the PC and burn an image quickly.

While I was walking, at least three times I powered down the laptop using my usual routine of taking the battery out, and holding down the power button for 15-30 seconds (approx.). I know now that this is far to short of a period to completely discharge the motherboard. 22 hours earlier I had put the battery back in the notebook because I decided that I would leave it out while I slept last night -- for all of 3 hours -- which was not enough for me, but enough to apparently discharge the notebook completely. I will have to check specs on HP's website, but I wonder how long the notebook can hold power without the battery.... I had suggested in an earlier post that this might be half of the confusion....he always seems to be in there (my laptop) -- and he survives the swapping of hard drives (maybe), because he rarely needs to leave since there is power....

The notebook never completely loses power unless the battery is removed for a minimum period. And right now, my only evidence as to this information is that 3 hours is enough time but I wish I knew a shortcut to discharging it a bit more quickly.

Paul

and good night

pjvex386,

I've been following your thread for awhile now, and I'm really wondering if you read my post, a page or so ago. I'm certain this will be sufficent to rid your infection.

When you booted into the Linux live-cd (which is write protected so it operates from memory only) the possibility of you being infected are probably less than 1%. The reason being, as stated above the live-cd runs in your CPU/RAM only. It dosen't touch your disk. You could remove all hard drives in their entirety, and still boot the live cd, and use it. The only possible way any infection that is using advanced technequies such as infecting your recovery partition, bios, or GPU, could possibly compromise the linux distro running entirely in ram, is if it was memory resident, and had the capability to realtime patch data in your memory, on windows, and alinux flavors. This would be VERY complicated to do as each operating system stores data in diffrent areas of memory. The attacker would need to be intimate with your specefic hardware, and bios. The possibility of this is extremely low.


I suggest you read my previous post, follow all the steps, and enjoy your clean windows machine.

Good luck!


*EDIT*

The screenshot you supplied looks fine!

I agree with jfar ...all apparent good help has been ignored. So either pjvex386 is conducting his own experiments or is just missing the boat completely.

Hey pjvex386,

I have two suggestions for you:
One, go buy a BRAND NEW HDD and destroy the old one (or nuke it but Boot and Nuke).
Two, go buy a LEGAL copy of WINDOWS (anyone) from a damn STORE! Get a LEGIT CD key, and INSTALL IT FRESH. Then, go BUY a ROUTER from a STORE, and SIGN UP for a ISP service and get a MODEM. BUY a AV/FIREWALL and INSTALL it FIRST thing after installing you LEGAL copy of Windows, WHILE YOU ARE NOT CONNECTED TO THE INTERNET.

If this DOES NOT solve it, then you should ACTUALLY DO IT, and stop being so paranoid.

~Lordbob

Correct - however, if you're running a version of Linux that has a GUI of any kind running, you can pretty much bet that there is going to be an X process running, on top of which your DM of choice will run, right?

So how is that X call unusual? Only way I can see it being unusual is if you're running a strictly command line client that never calls X to start.