This is a Security issue, but more!!!

Page 6 of 13 FirstFirst ... 45678 ... LastLast

  1. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #51

    Ooh man!
    You can try to clean up that flash drive, or smash it and throw it away. They aren't that expensive any more.

    Flash_Disinfector link
    http://download.bleepingcomputer.com...isinfector.exe

    Next, turn off the Autorun feature in Windows
    http://www.howtogeek.com/howto/windo...nd-usb-drives/

    *** Note: Be sure to insert your flashdrive before you begin!

    Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    Wait until it has finished scanning and then exit the program.
    Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



    PS ... my antivirus was claiming that a virus wanted access to my computer when I clicked on the disinfector link. It's a direct download, and it's safe!
      My Computer


  2. Posts : 57
    Windows 7
    Thread Starter
       #52

    Updates! Jaycee and the kind lot of you please read...


    If you have been following our story....
    Last week you may remember, Flash Gordon and Dale Arden saved the Earth from destruction by shooting a rocket at a planet which threatened to collide with it. They became marooned the Emperor, Ming the Merciless, ordered Flash killed.....
    OK...so that is another story.... but if you have been following my story, I apologize for the lack of a response. My personal/financial life has been under some duress (and while I certainly cannot blame my new so-called "imaginary friend" who lives in my laptop (and moved to my new laptop because my idiocy (see my lastpost) answered that old question "did your mother have any children that lived?" with a resounding NO.

    Well, It has been 28 days with my brand new HP dv4 1225 dx laptop (specs: AMD 64x Turion X2, 4ddr GB RAM...plus I still have my WD 500GB drive, which has been the only thing that has prevented me from going insane because I am allowed to keep some work product on this drive).

    But I have a revelation for you all. Remember how so many would scoff at my idea that there was access to my laptop if I turned the wireless switch off--and I went so far as to remove the wireless NIC--and to my surprise, and everone else's disbelief (save this board) he (the perp who is in control of this virus/trojan, and therefore 100% in control of my laptop) still had very noticeable dynamic presence. I was stumped -- and just about considered psychiatric help.

    But now...after reading and researching and dealing with my own personal menace -- who enjoys torturing me day after day -- at any hour and for any length of time (which to me us the most unbelieveable thing...I can see in some situations, scripts with automated responses can be used, but there are times when he is returning a volley of mine and it is just too well-tailored to be code-based...this type of a response can happen during any one of 24 hours in a day--so he is alerted when I do something or never sleeps....I would have to say that he cannot be much of family man given how much time he is at his PC).

    In fact....even though he has been quite egregious in some acts (I caught that his name is Brendan) since he knows that I know about him, I will say that I am surprised I am even allowed to write this post on my the laptop in question because I am sure that not only does he know what I am typing at this second by virtue of having a VM-type screen on his monitor, or having a keylogger VPNed or on my disk....and to add more insult to injury, my new laptop has a built-in webcam, so he can probably see me furiously racing through the stack of books I have purchased in my losing battle with this trojan and the man or person behind it.

    I have come close to really wiping all 250.5 GB of my drive, but since I do not have the HP driver installation recovery disks, I have not been able to do that. I do know now that on this laptop and on my old laptop, he would set aside X amount of disk space which I could never touch....I know that manufacturers use protected storage for a reason, but I have tried to use utilities to free up this protected area to no avail. My System Info stills says
    Capacity 238GB (250,547,000 B).

    The only solution then is to wipe the entire drive and use the recovery disks (but do I need to tatoo the motherboard too?...that is one of my current questions).

    But here the big news -- in my opinon --and some of you may have heard of this little before, but I was compeltely unaware of this vulnerability. The gang at MS knows about it (but the issue in quesiton is barely mentioned or discussed as far as I can tell), but from what I have experienced.... this should be a very big bug alert.....If this was not addressed (and apparently on a brand new laptop running Norton and Vista 64x it was not caught) who knows how big of a potential problem this could be....Ready everyone??????


    When I first removed my wireless NIC on my own laptop, I assumed there must have been another RF device on it. How else could I explain the fact that he was still exercising some control. I did the same thing on this new laptop, also an HP (but this is not HP dependent), and had same problem....

    Here is the key to the magic..... Bluetooth. This guy is using bluetooth from an any AP (as he is using UDP via IPv6) to connect first and control my laptop -- even though the data throughput for BT is only 1MB/s maximum...that is enough. And with development of BT in recent years, and with the right power behind it, the range can be up to 1 mile!

    So the bottom line is that my trojan advertises not from the Wireless Nic, but from some BT device... something audio related as my audio never works unless I install the driver from the website (and boy does he get mad when I shut down the process entitled audiohg (but he has since found a workaround to this--he subsequently used some compoent of windows presentation, and now I do not know what he is doing). The trojan advertises my address and the radio signal picks it up. Given the range of bluetooth, it is impossible for me to hide from it -- no matter where I am, so is he). He quickly picks up this beacon, and whether I am with or withour wireless capability. He is incontrol of my laptop. Now if I really screw around with the drive and reformat it slow and install linux, then install XP unitl it crashes (because I have a SATA drive), then most of what he normally hides on my disk someplace is gone and it does take him awhile to get back to a level where he can do anything....including the use X11 or samba shares to destroy any refreshing expererience I could possibly derive from using Linux (Ubuntu). [I have logged on to a fresh install of Ubuntu Intrepid, and I am always pleasantly informed that I am not root.]

    And while I would like to have this person drawn and quartered, I have to give him my respect for his thorough knowledge of windows server/client environments (NT, 2003, and 2008), Linux, all software, hardware, EVERYTHING. This guy is no slouch. But it underscores one thing. If he wanted to be purely malicious, he could have been. He is merely an annoyance and prevents me from doing many things when I want to. Many people would not even know he is there. But I like my system set up in a certain way and have been around windows long enough to know the way the "kernel" works.

    So, though I know a complete wipe and reinstall will cure my problem. It would still give me great joy to defeat him without doing that. if someone can take me to the next step, I would be grateful.. Really, if I could only have an intimate understanding (as if it is a trivial thing) of the Vista/WIN7 registry, I could get rid of this guy in an hour.... but alas, I do not -- nor to very many others -- possess this knowledge.

    But he does. And very well too.

    Paul

    The only thing I am going to attach in the way of diagnostics is a Sysinternals run of LoadOrd, which shows everything that is loaded at startup. But please anyone out there need something let me know. Also, my offer from a few months ago still stands: if anyone would like to get on the phone with me and Putty/Plink/SSH into my laptop and have a look see, I would love it.....


    Columns are:
    "Start Value" "Group Name" "tag" "Service/Device" "Display Name" "Image Path"

    Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
    Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
    Boot Boot Bus Extender 2 msisadrv
    Boot Boot Bus Extender 3 pci PCI Bus Driver
    Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
    Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
    Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
    Boot System Bus Extender 9 volmgr Volume Manager Driver
    Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
    Boot System Bus Extender 15 pciide
    Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
    Boot SCSI Miniport 33 atapi IDE Channel
    Boot SCSI Miniport 64 msahci
    Boot SCSI miniport n/a* amdxata
    Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
    Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
    Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
    Boot Base 1 KSecDD
    Boot Base 2 CNG
    Boot Base n/a* pcw Performance Counters for Windows Driver
    Boot File System n/a* Fs_Rec
    Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
    Boot Cryptography 2 KSecPkg
    Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
    Boot Extended Base n/a* storflt @%SystemRoot%\system32\vmstorfltres.dll,-1000
    Boot n/a* n/a* Disk Disk Driver
    Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
    Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
    Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
    Boot PnP Filter* 2* rdyboost ReadyBoost
    Boot n/a* n/a* spldr Security Processor Loader Driver
    Boot n/a* n/a* volsnap Storage volumes
    System SCSI CDROM Class 3 cdrom CD-ROM Driver
    System Base 1 Null
    System Base 2 Beep Beep
    System Video Save 1 VgaSave
    System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
    System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
    System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
    System File system n/a* Msfs
    System File system n/a* Npfs
    System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
    System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
    System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
    System NDIS 16 WfpLwf WFP Lightweight Filter
    System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
    System NDIS 24 vwififlt Virtual WiFi Filter Driver
    System NetBIOSGroup 2 NetBIOS NetBIOS Interface
    System n/a* n/a* blbdrive
    System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202
    System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
    System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
    System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
    System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
    System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
    System n/a* n/a* TermDD Terminal Device Driver
    System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
    Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
    Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
    Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
    Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
    Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
    Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
    Automatic AudioGroup n/a* AudioSrv @%SystemRoot%\system32\audiosrv.dll,-200
    Automatic AudioGroup n/a* STacSV Audio Service
    Automatic ProfSvc_Group n/a* CscService @%systemroot%\system32\cscsvc.dll,-200
    Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
    Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
    Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
    Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
    Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
    Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
    Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
    Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
    Automatic PlugPlay n/a* wudfsvc @%SystemRoot%\system32\wudfsvc.dll,-1000
    Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
    Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
    Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
    Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
    Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
    Automatic TDI n/a* Wlansvc @%SystemRoot%\System32\wlansvc.dll,-257
    Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
    Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
    Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
    Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
    Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
    Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
    Automatic n/a* n/a* adfs
    Automatic n/a* n/a* AESTFilters Andrea ST Filters Service
    Automatic n/a* n/a* Apple Mobile Device Apple Mobile Device
    Automatic n/a* n/a* Bonjour Service Bonjour Service
    Automatic n/a* n/a* clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86
    Automatic n/a* n/a* clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64
    Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
    Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
    Automatic n/a* n/a* EventSystem @comres.dll,-2450
    Automatic n/a* n/a* FDResPub @%systemroot%\system32\fdrespub.dll,-100
    Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
    Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
    Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
    Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
    Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
    Automatic n/a* n/a* PcaSvc @%SystemRoot%\system32\pcasvc.dll,-1
    Automatic n/a* n/a* PEAUTH PEAUTH
    Automatic n/a* n/a* secdrv Security Driver
    Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
    Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
    Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
    Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
    Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
    Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
    Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
    Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
    Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105
      My Computer


  3. Posts : 57
    Windows 7
    Thread Starter
       #53

    I forgot one thing


    One more thing.... one thing this guy will not let me touch is the hiberfil.sys on the root drive. It is hidden. I can delete the pagefil.sys, but not the hiberfil.sys. As Administrator, I am not even allowed to look at the security tab.

    See Screenshot below.
    Attached Thumbnails Attached Thumbnails This is a Security issue, but more!!!-hiberfil.png  
      My Computer


  4. Posts : 910
    Win 7
       #54

    Run elevated command prompt "powercfg -h off" and bam say goodbye hiberfil.sys, i would ditch the bonjour service as well if i was you.
      My Computer


  5. Posts : 57
    Windows 7
    Thread Starter
       #55

    Wow...nice.

    I did that and it worked--no more hiberfil. But the three card monty game continues. Now the pagefile.sys is the file I cannot delete. First the pagefile.sys was hidden, so I did an c:\attrib -a -s -h -r -i *.* I got the following:
    Unable to change attribute - C:\pagefile.sys



    When I try to look at the properties, I get the same as I did for the hiberfil.sys. See screenshot.

    I would be glad to get rid of those because those contain files that make his hijacking jobs a lot easier.....

    Yup. Thanks for your response. I would like to rid my drive of those files (although i understand the utility of the pagefile.

    My main question to you and to anyone (and everyone) is .... is there a registry setting where I can disable all bluetooth connectivity? Plus make this setting persistent, and not in a volatile environment.....?????



    And Yup, I hate Apple's use of Bonjour...nothing but trouble. I have just reinstalled everything so many times, I forget about that. Anyway I clicked it away in HJT. Speaking of which, I thought I would paste my current run of HJT for anyone so that it may be assistance. I marked entries in red I am concerned about.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:11:40 AM, on 5/2/2009
    Platform: Unknown Windows (WinNT 6.01.2981)
    MSIE: Internet Explorer v8.00 (8.00.7077.0000)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O13 - Gopher Prefix:
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.e xe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)

    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\STacSV64.e xe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


    --
    End of file - 6152 bytes


    Paul
    Attached Thumbnails Attached Thumbnails This is a Security issue, but more!!!-pagefile.png  
      My Computer


  6. Posts : 910
    Win 7
       #56

    Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.
      My Computer


  7. Posts : 2,899
    Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)
       #57

    YupYup said:
    Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.
    not only that but you can disable the driver or unnistall it...
    you can even unnistall the driver and delete the service...
    as for the reason for pagefile not being assescible is more by desing as your OS and apps write to disk and back
    this article should be a good start on that
    http://blogs.technet.com/askperf/arc...or-anyway.aspx
      My Computer


  8. Posts : 57
    Windows 7
    Thread Starter
       #58

    Thanks guys


    Yup & Dark (and to others who may be reading).

    I understand some of the basics of the pagefile--i.e. that it is virtual memory, and how windows uses it.

    Perhaps I am just getting skiddish..... but that is also why I offered to let someone SSH to my PC... I have been posting about this particular issue since late February and it spans two laptops (again, my fault for reinfecting the second laptop).

    But first, let me just get some foundational understanding since I have no benchmarks....

    After deleting the hiberfil (and again, thank you for that command...honestly, I may have tried to use it before, but the files names in my system32 directory change quiet often), this is what my C:\ root directory drive looks like (using c:\dir /a). Can someone confirm that for Win 7, 64 bit, these are all common directories?

    Volume in drive C has no label.
    Volume Serial Number is A269-346A

    Directory of C:\

    05/01/2009 01:34 PM <DIR> $Recycle.Bin
    04/05/2009 12:34 AM <JUNCTION> Documents and Settings [C:\Users]
    05/02/2009 03:50 AM 4,024,258,560 pagefile.sys
    04/04/2009 09:44 PM <DIR> PerfLogs
    05/01/2009 05:13 PM <DIR> Program Files
    05/02/2009 11:06 AM <DIR> Program Files (x86)
    05/01/2009 05:13 PM <DIR> ProgramData
    05/01/2009 01:34 PM <DIR> Recovery
    05/02/2009 09:23 AM <DIR> swsetup
    05/02/2009 11:05 AM <DIR> System Volume Information
    05/01/2009 01:34 PM <DIR> Users
    05/02/2009 11:07 AM <DIR> Windows
    2 File(s) 4,024,259,457 bytes
    11 Dir(s) 228,287,938,560 bytes free



    Then...next is a log of the sysinternals diag app called TCPVIEW which I believed I posted here once before. Now at the time of this log I was on the internet, and was in gmail, and on another board in addition to this one. But there are so many IPv6 and UDP connections (which is another signature -- in my opinion -- of something being not quite right), that I wanted to get your opinion. I had mentioned in a post several weeks ago, that the use of the loopback adapter with ipv6 is a component to this as well.

    [Note: Security Team is a board I was on when I ran this, and also, "Prague" is the name of my pc.]


    TCPVIEW LOG/SNAPSHOT
    AppleMobileDeviceService.exe:1460 TCP Prague:27015 Prague:0 LISTENING
    firefox.exe:2580 TCP Prague:49383 localhost:49384 ESTABLISHED
    firefox.exe:2580 TCP Prague:49384 localhost:49383 ESTABLISHED
    firefox.exe:2580 TCP Prague:49385 localhost:49386 ESTABLISHED
    firefox.exe:2580 TCP Prague:49386 localhost:49385 ESTABLISHED
    firefox.exe:2580 TCP prague:51725 198.63.194.35:http ESTABLISHED
    firefox.exe:2580 TCP prague:51730 icebridge-c.infospace.com:http ESTABLISHED
    firefox.exe:2580 TCP prague:51761 iw-in-f19.google.com:http ESTABLISHED
    firefox.exe:2580 TCP prague:51774 host-server1-support-securityteam.com:https CLOSE_WAIT
    firefox.exe:2580 TCP prague:51775 iw-in-f19.google.com:http ESTABLISHED
    jusched.exe:2416 TCP prague:49330 198.63.203.73:http CLOSE_WAIT
    lsass.exe:528 TCP Prague:49156 Prague:0 LISTENING
    lsass.exe:528 TCPV6 prague:49156 prague:0 LISTENING
    services.exe:488 TCP Prague:49155 Prague:0 LISTENING
    services.exe:488 TCPV6 prague:49155 prague:0 LISTENING
    svchost.exe:1172 UDP Prague:llmnr *:*
    svchost.exe:1172 UDPV6 prague:5355 *:*
    svchost.exe:1504 UDP Prague:ssdp *:*
    svchost.exe:1504 UDP prague:ssdp *:*
    svchost.exe:1504 UDP Prague:ws-discovery *:*
    svchost.exe:1504 UDP Prague:ws-discovery *:*
    svchost.exe:1504 UDP Prague:49152 *:*
    svchost.exe:1504 UDP prague:61501 *:*
    svchost.exe:1504 UDP Prague:61502 *:*
    svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:1900 *:*
    svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:1900 *:*
    svchost.exe:1504 UDPV6 prague:3702 *:*
    svchost.exe:1504 UDPV6 prague:3702 *:*
    svchost.exe:1504 UDPV6 prague:49153 *:*
    svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:61499 *:*
    svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:61500 *:*
    svchost.exe:736 TCP Prague:epmap Prague:0 LISTENING
    svchost.exe:736 TCPV6 prague:135 prague:0 LISTENING
    svchost.exe:832 TCP Prague:49153 Prague:0 LISTENING
    svchost.exe:832 TCPV6 prague:49153 prague:0 LISTENING
    svchost.exe:832 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:546 *:*
    svchost.exe:928 TCP Prague:49154 Prague:0 LISTENING
    svchost.exe:928 TCPV6 prague:49154 prague:0 LISTENING
    *System:4 TCP prague:netbios-ssn Prague:0 LISTENING
    *System:4 TCP Prague:microsoft-ds Prague:0 LISTENING
    *System:4 TCP Prague:icslap Prague:0 LISTENING
    *System:4 TCP Prague:wsd Prague:0 LISTENING
    *System:4 UDP prague:netbios-ns *:*
    *System:4 UDP prague:netbios-dgm *:*
    *System:4 TCPV6 prague:445 prague:0 LISTENING
    *System:4 TCPV6 prague:2869 prague:0 LISTENING
    *System:4 TCPV6 prague:5357 prague:0 LISTENING
    wininit.exe:424 TCP Prague:49152 Prague:0 LISTENING
    wininit.exe:424 TCPV6 prague:49152 prague:0 LISTENING

    *What are these connections????


    Lastly, as far as Bluetooth... First, are any of you familiar with this vulnerability or have you heard of it being used to implement full PC control? The microsoft bulletin is not that easy to find, but ut is here:
    http://www.microsoft.com/technet/sec.../ms08-jun.mspx and an update to that buletin here http://support.microsoft.com/kb/951376

    First thing (per microsoft) I have gone into the c:\windows\inf director and deleted every file that started with BTH (and there were at least 10), which had extensions of .inf or .pnf. I basically executed a del bth*.inf and a del bth*.pnf. But this did nothing... As far as a bluetooth service.... there may be one, but it is not a native windows service.

    I won't list all of my running services now. But as I said in my first post, since day 1, a service related to audio was always running and I never understood why. I had never seen this in XP (nor Vista to the best of my recollection), and it seemed peculiar--especially because when I typically booted up, my audio would not work (the little speaker with the lined-through circle would be orange on my laptop panel). And from what I have read, since bluetooth is often used to connect to audio devices, I guessed that this was a source. I deleted the service and it caused a complete mess of everything. For example, I was denied access to my own root drive. Does there seem to be a causal relationship there?

    But this audio service now does not run. There is another service, but I do not what it is, and there are too many non-native services for anyone to guess. What I might do (since I do it every two days or so anyway out of necessity) is reformat and reinstall Windows 7 from scratch. Then 10 minutes after that--without any program installations being done -- I will post my running services and someone can tell me if there is a "fly"

    Paul

      My Computer


  9. Posts : 9,582
    Windows 8.1 Pro RTM x64
       #59

    Hi Paul,

    What is this swsetup directory?
      My Computer


  10. Posts : 57
    Windows 7
    Thread Starter
       #60

    Dwarf:

    That directory is used by HP. It is where drivers are located and it is used in some recovery processes. I do not really use it or know about it because, as I said, I had to reformat this laptop about 3 hours after I bought it. I then installed WIN 7 (Build 7077) on it and then installed drivers from the HP website. But as you may know, HP does not include all drivers...which is why I had to pay and order for the disks so I can then wipe my drive completely.

    EDIT: My mistake...ignore the remainder or my post (except the last paragraph is interesting). The search that I had done (discussed below), came up and I thought it said "C:\installer ". Actually the search was done on C:\ but the file I checked said "c:\windows\installer" which is legitimate.

    See? I am getting so jumpy about this... I hate having to feel unsure whether I can or cannot do something on my own system. I cannot explain what I am experiencing...but it is the way the windows open and close... For instance I will install something, and an installer windows comes up, and then .1 second after that there is a slight tremor on the screen and then the installer dialog box comes up again. Besides all of the crazy files and GUIDs and encrypted bit masks all over the registry, it also feels like something is double-checking everything that is happening. And it is just too obvious when I install an antivirus application (and I have installed all of the applications listed on the Windows 7 page). It is the way the system will coincidentally hang. But it is not entirely random....my system behaves with a purpose. If I download and try to install an AV application on my laptop, it will hang as soon as I install it. BUT, if I take my laptop to an internet cafe, use another PC, download the same AV installer virus application, put in on a flash drive, then install it on my laptop as quick as possible after inserting the flash drive, the application will successfully install until completion....but then it will never update
    (again is this a coincidence?), or there will be certain options greyed out which I know should not be (see an earlier post where I mention this phenomena when I was using Kaspersky back in February).

    IF I had the means, I would pay any of you or some MS security consultant to travel to me and just look at my PC and try to work on it normall for 1 hour. They would realize that there is a virus/trojan, and that it is or has completly taken over my system. But what I do not understand is the motive. So far, nothing malicious has been done. It is as if he is just using my bandwidth or something. I have not figured that out.


    But -- something strange just happened -- I was in a windows explorer directory searching on all files with today's date as date modified. While this was running, I tended to some other things in other windows. I just looked back and saw this (see screenshot). It says there is a directory called "installer" located on C.

    I am only aware of "dir /a" as a means for displaying hidden directories and or folders. Is there a not only a hidden but a super-hidden attribute NTFS has which would allow these files not to be detected? (this is a footprint basically....I do not know why Windows Explorer ended up like that....but it was part of this hijacking I am suffering.

    The main other "footprint" that I see (and I have seen it about 500 times), is when I go to regedit. You know how regedit saves the last key you edited or were viewing? Well, the one thing this guy does not do is disable this feature, so I have seen where he has been countless times -- that is not to say I understand the keys he is changing, but unless windows as to move around in the registry like that and then the last place windows referenced the registry is saved and would typically come up when you entered Regedit.exe (which I highly doubt is the case in WIN7 as I have never seen that occur before), then it is this phantom, because it is not me.

    Paul
    Attached Thumbnails Attached Thumbnails This is a Security issue, but more!!!-installer.png  
    Last edited by pjvex386; 02 May 2009 at 12:56.
      My Computer


 
Page 6 of 13 FirstFirst ... 45678 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:01.
Find Us