This is a Security issue, but more!!!

CB · 12 May 2009

It may be too late to me making this reply.
But sometimes this simple way will make different.
I just share what I normally do to my PCs

What I did to my PCs was this:
Let me assume that there is no hardware problem, the BIOS is on normal setting, and most HDD is partitioned to more than one.

Obtain Hiren's Boot CD ver. 9.8 available everywhere.
- Boot from hiren, choose mini windows.
- Delete all content in Sist. Vol. Information folder (some malw, adw, & viruses reside here)
- If you have Removable drive, connect it, do the same procedure, delete the content.
- you can even scan all drives if you have portable antivirus. but it isnt needed.
- Exit mini windows.
- Install windows normally.
- Install antivirus or any reliable security suite available. (with firewall, coz)
- Scan other drives thoroughly, including all removable drives

Things to remember, dont ever access other drives or connect any removable drive before finish installing security suite. Normally windows will access and read or write information in sist. vol. information folder of other drives but sure the content was already deleted by mini windows.

This is what I did and it keep my 3 desktops and 2 laptops in shape.

Hope this useful :)

pjvex386 · 13 May 2009

Thank you everyone. I am going to respond to each reply sequentially:

But first, please know that last night. I did what I said I was going to do. I removed the hard drive, put the cover back on, put in a backtrack ver. 3 boot CD in it.... It booted up, went through isntallation ... when after login, I had no root privileges... further, shortly thereafter, I got an error when I finally changed from bash to gnome. I entered "startx" and I got an error message which is said (paraphrasing a bit) " no screens found -- fatal error" and "disabled by peer" or someting to that effct.

First to torrentzg, I knew there was a term for this. I had forgotten Farraday since college physcis. But, in my low-tech world and resources, the best I have tried is to go to a hospital or a basement or anywhere that I can never get a cell cignal.... I know the frequencies between 802.11b/g and GSM are different, but I thought it would help. It did not.

Darkassasin: First off, I have a laptop for its portability and wireless..I do not have frequent access to ethernet (wired). But my question to you would be, while in safe mode, why should I not disable all of this annoying hidden adapters?? I do that fairly frequently in normal mode. In fact, I have I believe 4 ISATAP adapters now, when before I believe I only had 1. So I made a fairly intelligent guess that this was one means of getting in.

Also, I am in a bit of a dispute with AT&T which will hopefully be resolved tomorrow, but up untill now, I had been using hotspots--(and the whole time I thought I was the one with the skills to be a potential intruder....). So I am often using unsecure wifi routers. And with no working av applications (and I mean NONE: THe conflicker tool for instance from jacee, started...got to 4 bars, and then popped up saying system was clean. Could be, but it seemed strange. Any of the AV apps that windows promotes specifically for WIN 7. None of the will do anything... I can maybe install them if lucky, but then it is just more games.... the app does things I really think it is doing, but nothing is being done.

Just as strange as this... I download a lot of things off the web. Usually I do not have problems... Unless it is something like a net utility or something that could expose this guy. Since I have had this problem, I have NEVER been able to install WinPcap. But as far as your Priority utility, see screenshot "loading". It has been that way for 20 minutes. I am trying to download the 64 bit version.... maybe this is not compatible -- see paragraph below. EDIT: I Launched taskmanager a little while ago, and although the application never really installed properly... It hung for an hour until a forcibly closed it.... So, I do not know id this is accurate, but here is a screensaver of my taskmanger... See Prio

As far as /dudisabled, I read it in a VISTA administrator's guide. I didn't know it had been deprecated. But if it is, it doesn't mean it won't work.. which is did, once. My thoughts at the time were if I wanted "clean", I needed to lock the installation process....

Now to Baarod. I am in bios frequently, and I even have it password protected, but I know this is easily ascertainable... Anyway, there is nothing in my bios that allows me to disable ethernet, bluetooth, or anything else. I can run diags, change boot sequence, and diable the flobby, virtualization, and I think booting from the network card.
Am I missing something or do I have a second rate bios?

I did not know how to delete the path with shift f10. I will try that. But I cannot disable bluetooth. I was given a a run command which is a little beyond me, but it was from darkassassin.

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL bthprops.cpl,,1

I will tryin running right now and see if I get what I always get.... it did nothing, well there was no dialog box as I expected when I did it from "Run". I do not know if the format of this command is the same but I ran it at the command line two.. Nothing interesting...just another command line.

Also, another little gift I got today.... I have a 64 bit HP, using 64 bit VISTA and then I (and I know this was advised against) UPGRADED to RC 7100 WIN 7 (also 64 bit). Today I tried to download firefox because I am always reinstalling..... And when I tried to run the application, well... here is what I got... see screenshot firefox. Firefox does not have 32 bit or 64 bit versions. Firefox has ALWAYS worked for me even with this intruder. But I also know I can sometimes outmaneuver him with some of the mozilla add-ons which I use quite alot. But the question is, if I am running 64 bit everywhere.... Why would the error say it is not a valid WIN32 application???? I have seen this before. He is using a wrapper or an interface to allow use of the CPU's 64bit architecture by the run-level.. doesn't it sound like it???

And yes, I agree, my methodology in figuring this out isn't as systematic as I would prefer. Usually it is spurned on by rage. Because I have done everything....well the method using except Shift-f10.

To Kevin Ismaill: I have mini-XP and Hiren's. When I am in mini-XP, I cannot seem to gain access to anything except the shell drive X: and the CD. Am I missing something. I cannot seem to touch the C: volume... But this could be user error.

Amd trust me. I for one have learned my lesson. I put up with this for 2.5 months, only to be given a brand new HP laptop which I promptly reinfected with a flash drive 10 minutes after taking it out of the box.

baarod · 13 May 2009

not a valid win32 application is a generic way of saying that the file you downloaded is not a valid win pe image, i.e. the file is corrupted, try downloading again from somewhere else and make sure to get hashes to check your file from the downloading website. Verify them against what you downloaded with 7zip's File, Calculate checksum feature.

CB · 13 May 2009

That is completely weird to me.

With Mini XP in Hiren 9.8 boot CD I was able to gain access to all drive, flash drive, and even ext HDD. should be s'thing wrong s'where.

Using hiren on vista and win 7 system installed, we only have to take precaution in running its portable partition magic. It will report a partition error and asking for repair but dont ever allow it to repair the disk as vista or win 7 wont run anymore.

I wish you are next door to me. Because I always curious about s'thing strange like this one.

But one thing for sure, computer do follow logical sequence. Meaning that your problem always have solution. You just havent been on the track. may be soon.

Cheers :)

Jacee · 14 May 2009

pjvex386, scroll down to #4 in this link
Five Free Security Hacks - Solutions by PC Magazine

pjvex386 · 16 May 2009

Jacee, et.al.

First Jacee.. thank you for the tip. It is a switch for "net config" I did not know and I have been through a lot of books. I think I once posted the output to netstat -a here, but I have never compared them. I am going to do that this evening.

It would great to be hidden on my network. But my question is this: Let's assume that what I have been saying is correct, i.e. I do not have a virus, or a trojan, or even a nasty worm/trojan....but let's say I have all of those things PLUS, someone -- at least part of the time -- monitoring my laptop via vpn, ssh, or any number or other methods. That this person, when he is actively and not passivley (through scripts and things) watching what I am doing, well then he would know I am doing this. Since he has priviliges on my laptop of that of a Server admin -- a lot more clout than my lowly Administrator (local), he can just change it back -- that is he can change it back if it makes it more difficult for him to stay on top of me/my laptop.

For the first time yesterday, I had about 5 minutes of freedom. I was going to try a different utility off of the Hiren's boot CD (which, by the way, I am convinced that he/she/it (HEREINAFTER REFERRED TO AS the "RNAV", a name I derived from RNA virus--a retrovirus) has the ability to hook into many if not all of this applications which are on their own bootable CD!). I do not know if it was one of the "passive" periods for the RNAV, but I chose a gateway disk utility that had a fast wipe (it zeroed the first 1MM sectors from the beginning and end of the drive), then installed WIN 7 (without Vista first, which I have typically been doing because those are the recovery disks from HP for this laptop and contain all the drivers for the webcam, or sound card, etc...some of which I cannot download from HP directly). Anyway, I went to my task manager, and there was no sign of it....for 2, 3 minutes I thought I just got lucky..!!! Then, I saw the first process show up that is typically one I see when the RNAV is there. I cannot recall precisely right now, and since I lost my 400MG of screenshots, I do not have something to refer to... but it is something like "mcorweiw". This is not the name of the process, but close. then, I saw WmiPrvSE.exe, which is always there when the RNAV is. Followed by 3 times as many svchost processes running (slowly, in about 20 seconds, they all start (note: I know that svchost is run normally by windows for just about every application, but I have seen what underlying services these particular svchost procesess run and many are not needed and are part of the infection.) Alos, Wlanext, then WUDFhost. Lastly, one process that must be there, and is as persistant as a housefly, is one called "audiohg". I won't claim my bluetooth theory as gospel, but something is tied to multimedia.... if I delete this file (and it takes a log of work to get to it and delete it), then until it can replace the file, it uses Windows presentaion font cache or Windows Presentation. During this whole time, I was not connected to an ethernet network , nor was my wireless "switch" on (it is just a touch sensor, so saying "switch" is a bit much). One reason I believe I had this 3-6 minute moment of peace, was because I did my quick wipe, followed by a WIN 7, RC 7100 install. The 7100 build, as you may all know, does not include bluetooth drivers. I know that many here reading this thread have there doubts on my bluetooth theory, and I understand why you deem it unlikely, but I have not much else (following the rules of physics as we know it) to go on.

But, Jacee, back to my point (and I realize everyone that my ADD gets the best of me when I am anxious and I start posting on this board).... If I was to offer my first reflexive opinion, I would say that this tip would not work because the RNAV would know. I know there is every type of log (keylogger, possibly video now with my webcam on this laptop, screenshots, etc.) used by the RNAV -- while my windows Event Monitor is pretty much rendered useless. In the beginning of all of this I tried a lot of tricky things to avoid it in the wireless universe. I wrote a script that changed my MAC every 5 minutes.... that didn't seem to do much.... and I know everything I am saying is absurd at some level but it is something of an obsession now because there MUST be an explanation. [I bet if I was married, my wife would have left me about 1 month ago over this... :)] But Jacee, I will certainly try it.

I have some interesting things to add and post. First... while running the various Hiren's BootCD utilities, I ran countless tests from virtually all of the applications (and there are at least 50 different diagnostic applications on this CD). Since I was in a DOS environment and would need to restart to get windows, I did not have a screenshot method at hand, so I just grabbed the ol' digital camera when something interesting came up. I am going to describe some of those now. To stave of the tedium, pretend I am showing you slides from a really weird recent vacation or something..

Image_522: This just shows my root drive. I had not noticed some of these items even with "show hidden folders and files". I am not sure what the SIDs mean either

IMG_534, IMG_537,IMG_539: I am in the ubuntu-based pentesting CD Backtrack 4, and I am just showing that when I do "ps -f" and then "ps -ef", I get a lot of processes (and the ultimate bash parent) having a tty of "?" so linux knows the STDIN process, but does not seem to know the name of the file connected to STDOUT. That is weird to me.

IMG_546, IMG_547, IMG_548: More root drive directory shots.

IMG_549: This is a weird directory off of windows... I have never seen it. Is this normal?

THe following shots are from the MINI-XP which comes with the HIREN BootCD. One nice thing very helpful about the mini-XP iis that it includes the Sysinternals ProcEXP....which is a super-charged, "all-extras-included" version of windows' rather boring Task Manager. [See: Remainder of Images through IMG_598]

Regarding these images from ProcExp......Now here is where I think I have to have SOME ground. But please tell me if I am wrong. Please review..... There are times -- I swear -- I will see for .25 of a second an icon for a shared SID in the security tab in the proeprties box, but this SID icon is the one with the red-circled X over it (and I forget what that means), but it disappears immediately and I see the SIDs that you see in the photos. I do not know if these are standard, builtin windows groups and users. Also, the shots are just from different tabs of the properties of a specific process running while MINI-XP from the boot CD was used. What you are looking at should be self explanatory. But ask if you have a question.

There are mysterious SID owners and also, given this is just a scaled down version of XP, would there be so many threads strings??? And....well I am in water way too deep for me, but it seems like an awful more is going on than would need to be. Windows Vista is not supposed to be running. This is merely a mini-XP.
OK. That is enough screenshots for now.

But on an ending note.... all this time I have been trying to figure out how the RNAV gets in.... maybe it is more simple than that. To wit: I was looking at one of the utilities mentioned above from the HIREN BootCD (I would have to find this screenshot, but I am almost sure I have it). It was running a diagnostic on the CPU. The strange part was that it said the last time the CPU was powered off was "3 days and 14 hours ago". I know that I have shut down my laptop no less than 10 times in the span of 3 days and 14 hours.. I use the power button or "Start" -- "Shut Down". I also know that something, perhaps the RNAV keeps changing the power settings in VISTA or WIN7 so that the power button does not "power off" like I -- THE USER/OWNER -- would prefer instead the setting are always set so the power button merely puts the laptop to sleep. I have tried to counter this with the additional safeguard of removing the battery and holding down the power button (unplugged obviously as well) for anywhere from 10 to 30 seconds.

Is there a way the code of the RNAV could remain in the machine (setting aside storage on the HD)???? I ask this since I replaced the hard drive last weekend, so I know that magnetic media is not vital to its survival/existence even with my safeguards.

Thanks,
Paul

pjvex386 · 16 May 2009

With regard to the first part of my last post, I thought I would include a current view of my task manager.... so you can see all the insidious things going on.

See tm1, tm2, and tm3.

dmex · 16 May 2009

Hi Pjvex386,

The folders starting with $ are creating during Windows Setup, Windows Updates and also Backtrack itself when it loads various tools as not to corrupt your real Windows directory.

Nothing Ive seen in any of your screenshots looks even a bit abnormal minus that $UpgDrv$ directory, Ive never seen that used by Microsoft or Windows before so I dont know where or what might have created it

Steven

darkassain · 16 May 2009

i too agree with dmex although the UpgDrv issue would most likely be that of a upgraded driver (and most likely the use of a backup location)...

although im not sure....

pjvex386 · 16 May 2009

I would love to believe either of you dmex and darkassasin. I would do absolutely anything if you could tell me with a reasonable amount of certainty -- certainty that cannot come from me posting screenshots and my taskmanager output (although why would there be so many WmiPrvSe processes. Why, if I just log on a network, is one of my svchost processes running ssh?? That last part does not alarm you at all?????

Either way.. My offer throughout this stands. I want anyone who can to please choose there secure means to do so, and take control of my computer, and look around. Install an antivirus program. Update windows.

And here is a new one. I said earlier I wrote a script that changed my MAC address every 5 minutes... well that was back in February and it was a different world. Now....I was thinking about that, and even though I am on a LAN...why not change my MAC...perhaps everytime I log in??

Well, first because the registry key is not where it is supposed to be. There is a sub-sub-sub key that does say NetworkAddress: and it has a MAC number--a valid one any way -- , but when I check on my windows network map, even after reboot it stays the same. I was just about to convert the hex mac address to binary or decimal and search for it in the registry....

But, since my registry for my SID has a VOLATILE ENVIRONMENT KEY, which I try to delete or modify, and it does nothing, which in turn does nothing about the permanance of ANy CHANGES I ever make to the registry. That is why I keep saying that is seems more and more than I am given facades to work with, while the real items/devices etc. that may alter the system are not being touched. Is it inconceiveable to either of you that someone might put a version of regedit that is not bound to the core--tied in someway to my unique user SID, and is in essence nothing but a big text document (so to speak). This is not what is happening because as changes are made to the registry, the registry I have access to changes...a lot of changes... and a lot of changes while I am sleeping too!!! But whenever I make a change, it may do some good for that session. But then all my changes are gone -- as in VOLATILE.

Please do not say everything looks normal. You guys know windows 7, right? I will wipe my drive, install 7100. Leave my computer on. I will disconnect it from all network sources, and otherwise leave it alone. In 2 hours, I will find a utility that does a reg compare..and yes, I expect in the course of functioning windows would make some changes... But these changes I refer to are entirely unorthodox and unusual.

I know I am killing everyone with screenshots. But look at the attached. PLEASE REMEMBER THAT I REINSTALL WINDOWS 7 (OR VISTA AT LEAST EVERY 2 OR 3 DAYS, SO i DO NOT HAVE MUCH TIME TO LOAD IT UP WITH SOFTWARE.

There are a few shots of the registry -- where changes have been made that seem very strange. ... And I through in a copy of a cmd line netstat as well. Lastly, Norton, which does not stand a chance against this and is dying everyday (upon last reinstallation of my OS, I decided just to uninstall Norton. When I got to the uninstall page, it started to install as expected, then I get a dialog box that says "There has been an error. It appears that Norton has already been uninstalled". I don't know. It could have been I mistake I made. But even statistically, there is no way this can be happening. I am not proud of this, but I had a nasty breakup with a fiance in 2003, and was fairly anti-social afterwards for a bit. I spent 2003 to 2005 spending 7 hours a day on XP. And I have a hacking -- "let's see how this works" or let's see how this reacts or behaves type of curiosity. Last summer, I spent 8 hours a day working with Vista which is why I like WIN 7 so much. And, it felt to me like a clumsy, but sleeker XP, with security enhancements that were ubiquitous.

So unless Windows 7 is as different from Vista/XP as Visicalc is from Excel, then you need to take me up on my offer and access my machine and tell me I am nuts. Cuz either my laptop or my mental state need a diagnosis ASAP.

OK. now I either hit soemething on my keyboard or something is not working correctly. I had re-edited this post for 20 minutes, and now I lost all changes. I am going to submit it as is... Sorry for through edges.....