This is a Security issue, but more!!!

[Loki]

Hi,

This is a very long post so sorry if this has been covered already but I didn't see if you are behind a router. If so does it support WPA2 and does it have the latest firmware?

Are you the only person with physical access and control of the router, if so
I would reset all my passwords on the router and create a new WPA2 key using a random password generator like: https://www.grc.com/passwords.htm

On the subject on reformatting the drive did you use a tool to Zero the drive?
If you chose to reinstall and reformat the drive I'd run this tool first:
Darik's Boot and Nuke: Darik's Boot And Nuke | Hard Drive Disk Wipe

Good luck

 

[pjvex386]

OK. Loki thanks for your response, and I will answer it. But I am getting more interested in the party or parties responsible for this.

Another thing I have noticed when I have had all of these problems is that Firefox is never available... It is always installed since I installed it, but it never shows-up in my start menu, except in the form "Firefox Safe Mode" which I know means to add-ons or extensions... at least that is how I understand it.

Also, in the past, when I look at IE, it always shows me the icon for "Internet Explorer without add-ons" which I realize is the equivalent for safe mode in firefox.

Ok, also, it seems as if my laptop is encouraging me to install java in my browser. It was installed before I took out my wireless NIC, wiped the drive and reinstalled win-7. I never needed to install java, so I didn't but little things like adobe updates or other strange things (like the java plug-in download page suddenly pooping up out of nowhere perhaps 2 days ago).

THen today, I needed the plug-in for something. I installed it, and then I went to the Tools menu in firefox, and first it I see "Java Console". I click on it and nothing happens. So then I open the Tools menu again but now the Java console is grayed out.

I then went to firefox addons and downloaded a "Java Console" and an add-on called "Event Spy" which is an enhanced Java console.

Neither of these addons work.....! Also, a few posts back, I mentioned that there were services that I cannot touch, modify turn off or on, or do anything to because under properties, everything on every tab is grayed out. Each of these services became inaccessible after I either shut them down, or if they were essential and I did not want to shut them down, I changed it so it would log in not under local system, or local service (which most are logged on under and this may be normal, but I don't know) but instead they would log on under the "Administrator" user. The services I listed were: PlugNPlay, Group Policy Client, RPCSS, RPC Endpoint mapper, and DCOM SERVER. In addition as an FYI, the following services are also now inaccessible..... Windows Driver Foundation - User-mode Driver Framework, Power, and the service brought to my attention by Jacee..... called NZNEQPXT.

I am attaching for Jacee, 4 screenshots each showing a tab in the above service in question, NZNEQPXT. This whole thing is getting stranger as I never noticed this server EVER before, and I remember going through each one.....

Also, although perhaps not directly related, but part of the overall problem, I am attaching to screen shots of my firefox error console (which I checked after Java console would not. I am not sure if this provides additional information, but if it does, please let me know. Thanks....

Loki, I am using open wireless networks in each occassion. First 3 months back, 5 miles from where am now, and again a this moment where I am residing. I have no control whatsoever to the router. Also, any hotspots I go to where this problem continues, I obviously do not have control of the router. I am not foolish as far as security....I have always used a firewall on past workstations or laptops. And even intitially on this laptop. But since these problems began I could never get Kaspersky to work, so when my internet started working 2 days ago after I pulled the NIC, and re-installed, I didn't want to "push my luck" (see an earlier post of mine where I discuss this) and try to install Kaspersky (which Dwarf told me has now expired anyway). I asked in one my recent posts if anyone had suggestions on a firewall or if the Windows firewall was sufficient.....

That question remains open as well. As soon as I can get this laptop to perform like it should...I want to have adequate firewall protection.

Paul

 

[Jacee]

Tyler, let's do this please .... open notepad, don't use any other text application or this won't work. Hopefully this will work with Win 7

copy the following text (in the 'quote box') into a new file:

sc config NZNEQPXT start= disabled
sc stop NZNEQPXT
sc delete NZNEQPXT

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Locate remove.bat on the Desktop and double-click on it to run it. A DOS box should will open and close, that is normal.
If any errors errors encountered please post.

Restart the computer normally.

Post a fresh HJT log .... copy and paste the contents, don't post a picture.

 

[pjvex386]

Does the character format matter? the "save as" dialog box comes up with ANSI. I want to make sure we do this correctly....I wouldn't think it would matter if it was ascii or unicode or ansi, but I have my doubts because in the past, I have tried ~300 line batch programs which included both SC and NETSH commands and when I ran them, I would get "invalid option" type output from both. The secedit commands would run, or other informational type commands, but not SC or NETSH.

Let me know and I will do it immediately.

Paul

(Note: I used Tyler, because I would rename the user name and the computer name every time I would install because I hoped it might make it more difficult to get some sort of network app running with new names.....)

 

[Jacee]

Yes...

 

[pjvex386]

Ran the batch program....

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:17 PM, on 3/21/2009
Platform: Unknown Windows (WinNT 6.01.2904)
MSIE: Internet Explorer v8.00 (8.00.7000.0000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Users\Tyler\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Tyler\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Live Search[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Live Search[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
O4 - HKCU\..\Run: [googletalk] C:\Users\Tyler\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix: 
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4294 bytes

 

[pjvex386]

I checked in services and it does not seem to be there anymore. That seemed too easy.

Below is the output of pslist.exe (sysinterals) run as administrator (I tried to keep the spaces in separating the columns, but they would not paste -- even after I tried reformatting them in word). Are the items highlighted normal???

Process information for CAIRO:

  Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
Idle                  0   0   2    0      0    15:33:06.434     0:00:00.000
System                4   8 105  566   1672     0:03:47.667     8:20:35.950
smss                284  11   2   29    264     0:00:00.078     8:20:35.950
csrss               380  13   9  389   1224     0:00:02.028     8:20:28.633
wininit             440  13   3   98    896     0:00:00.202     8:20:22.565
csrss               448  13  10  347   6644     0:00:07.956     8:20:22.549
services            496   9   7  188   3848     0:00:05.959     8:20:21.067
lsass               512   9   8  741   3844     0:00:05.709     8:20:20.958
lsm                 520   8  11  150   1452     0:00:00.390     8:20:20.958
winlogon            552  13   5  115   1900     0:00:00.436     8:20:20.896
svchost             668   8  11  373   2908     0:00:15.194     8:20:20.287
svchost             748   8  10  291   2896     0:00:03.369     8:20:19.835
svchost             836   8  21  553  22364     0:00:03.307     8:20:19.710
svchost             896   8  25  806  51332     0:03:55.748     8:20:19.539
svchost             920   8  42 1258  15868     0:00:22.760     8:20:19.507
svchost            1076   8  12  336   5576     0:00:01.591     8:20:19.071
svchost            1208   8  13  489  15404     0:00:11.107     8:20:18.805
spoolsv            1380   8  12  296   4728     0:00:00.218     8:20:18.162
svchost            1416   8  18  432   9620     0:00:03.291     8:20:18.089
taskhost           1880   8  10  218   7504     0:00:00.468     8:20:13.535
dwm                1940  13   5  152  97328     0:06:07.881     8:20:13.401
explorer           2044   8  44 1287  48464     0:03:01.897     8:20:13.091
rundll32           1196   8   3   91   1436     0:00:00.046     8:20:11.328
acrotray           1260   8   2   54    948     0:00:00.031     8:20:11.313
SearchIndexer      1808   8  13  691  22532     0:00:10.670     8:20:06.239
svchost            2064   8  11  201   3428     0:00:00.390     8:20:05.179
[COLOR=Red]sppsvc[/COLOR]             3656   8   4  146   5256     0:00:03.510     8:18:13.634     [COLOR=Red]Is Key Management Service for windows server 2003 normal?[/COLOR]
svchost            3716   8  11  364  48320     0:00:38.438     8:18:13.141
googletalk         3884   8  16  486  39992     0:00:40.373     8:05:18.906
taskhost           2628   6  11  274  10232     0:00:07.316     7:33:31.031
audiodg            3468   8   7  133  15212     0:00:00.296     0:09:53.253
firefox            2980   8  14  345  63324     0:00:32.089     0:09:31.347
WUDFHost           2412   8   8  231   1548     0:00:00.062     0:03:59.600
[COLOR=Red]WmiPrvSE[/COLOR]            724   8   8  138   2156     0:00:00.187     0:03:00.905
cmd                3360   8   1   18   1724     0:00:00.109     0:00:45.500
conhost             568   8   2   73   1004     0:00:00.592     0:00:45.494
pslist             4012  13   1  208   2056     0:00:00.265     0:00:02.756
dllhost            4092   8   6  110   1152     0:00:00.031     0:00:01.635

Following is output of tasklist /svc run at (presumably) an elevated prompt.

Image Name                     PID Services                                    
========================= ======== ============================================
System Idle Process              0 N/A                                         
System                           4 N/A                                         
smss.exe                       284 N/A                                         
csrss.exe                      380 N/A                                         
wininit.exe                    440 N/A                                         
csrss.exe                      448 N/A                                         
services.exe                   496 N/A                                         
lsass.exe                      512 KeyIso, SamSs                               
lsm.exe                        520 N/A                                         
winlogon.exe                   552 N/A                                         
svchost.exe                    668 DcomLaunch, PlugPlay, Power                 
svchost.exe                    748 RpcEptMapper, RpcSs                         
svchost.exe                    836 [COLOR=Red]Audiosrv[/COLOR], Dhcp, EventLog,                   
                                   HomeGroupProvider, lmhosts, wscsvc          
svchost.exe                    896 [COLOR=Red]AudioEndpointBuilder[/COLOR], CscService, Netman,   
                                   PcaSvc, SysMain, TrkWks, UxSms, Wlansvc,    
                                   [COLOR=Red]WPDBusEnum[/COLOR], wudfsvc                         
svchost.exe                    920 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc, 
                                   IKEEXT, iphlpsvc, [COLOR=Red]LanmanServer[/COLOR], MMCSS,      
                                   ProfSvc, Schedule, SENS, ShellHWDetection,  
                                   Themes, Winmgmt, wuauserv                   
svchost.exe                   1076 EventSystem,[COLOR=Red] fdPHos[/COLOR]t, [COLOR=Red]netprofm[/COLOR], [COLOR=Red]nsi[/COLOR],        
                                   sppuinotify, WdiServiceHost                 
svchost.exe                   1208 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc                                      
spoolsv.exe                   1380 Spooler                                     
svchost.exe                   1416 BFE, DPS, MpsSvc                            
taskhost.exe                  1880 N/A                                         
dwm.exe                       1940 N/A                                         
explorer.exe                  2044 N/A                                         
rundll32.exe                  1196 N/A                                         
acrotray.exe                  1260 N/A                                         
SearchIndexer.exe             1808 WSearch                                     
svchost.exe                   2064 FDResPub, SSDPSRV                           
sppsvc.exe                    3656 sppsvc                                      
svchost.exe                   3716 WinDefend                                   
googletalk.exe                3884 N/A                                         
taskhost.exe                  2628 N/A                                         
audiodg.exe                   3468 N/A                                         
firefox.exe                   2980 N/A                                         
WUDFHost.exe                  2412 N/A                                         
[COLOR=Red]WmiPrvSE.exe [/COLOR]                  724 N/A                                         
SearchProtocolHost.exe        2564 N/A                                         
SearchFilterHost.exe          1676 N/A                                         
cmd.exe                       2948 N/A                                         
conhost.exe                   2764 N/A                                         
tasklist.exe                  1192 N/A                                         
[COLOR=Red]WmiPrvSE.exe [/COLOR]                 2276 N/A

 

[Jacee]

Your HJT log looks clean.

Now, when I said to change all of your passwords from a *known* clean machine, I did not mean from a public computer such as Kinko's!! Goodness knows what's on one of those computers :shock:

If you have a friend/neighbor who does not use such things as keygens, cracks or torrents (for illegal/copywrite) downloads, then ask to use their computer for a bit to change all passwords.

I believe you had a 'hacktool' on your computer.

If you are still having problems after doing the above instructions, then let me know because I have another way to go to help you out

 

[metaldragon]

Having read a lot of info. And not seeing a few things talked about please let me know if you have sorted the prob out or are you hard at work penning out your book

 

[pjvex386]

Hello:

I know you all have been losing sleep about my issue since I have not posted in quite some time. However, there is more excitement ahead!!

First I want to thank everyone' for their patient and intelligent feedback and assistance with my problem from this thread. In the end, I just sold the damn laptop (it was due for a replacement anyway), and bought a new HP dv4 1225 (4G ram, 250G HD, and dual core AMD Turion).

However, I feel comfortable enough with everyone here to tell you that I have to be the most incompetent fool since the guy in charge of security during the Lee Harvey Oswald prison transfer.

You can read about my mistake, my idea to fix it, and offer any help you see fit here... in this post I tagged onto the end of one by darco. As follows:

http://www.sevenforums.com/installation-setup/7144-unable-install-7077-x64.html#post70563

 

[Jacee]

Ooh man!
You can try to clean up that flash drive, or smash it and throw it away. They aren't that expensive any more.

Flash_Disinfector link
http://download.bleepingcomputer.com...isinfector.exe

Next, turn off the Autorun feature in Windows
http://www.howtogeek.com/howto/windo...nd-usb-drives/

*** Note: Be sure to insert your flashdrive before you begin!

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



PS ... my antivirus was claiming that a virus wanted access to my computer when I clicked on the disinfector link. It's a direct download, and it's safe!

 

[pjvex386]

Updates! Jaycee and the kind lot of you please read...

If you have been following our story....

Last week you may remember, Flash Gordon and Dale Arden saved the Earth from destruction by shooting a rocket at a planet which threatened to collide with it. They became marooned the Emperor, Ming the Merciless, ordered Flash killed.....
​

OK...so that is another story.... but if you have been following my story, I apologize for the lack of a response. My personal/financial life has been under some duress (and while I certainly cannot blame my new so-called "imaginary friend" who lives in my laptop (and moved to my new laptop because my idiocy (see my lastpost) answered that old question "did your mother have any children that lived?" with a resounding NO.

Well, It has been 28 days with my brand new HP dv4 1225 dx laptop (specs: AMD 64x Turion X2, 4ddr GB RAM...plus I still have my WD 500GB drive, which has been the only thing that has prevented me from going insane because I am allowed to keep some work product on this drive).

But I have a revelation for you all. Remember how so many would scoff at my idea that there was access to my laptop if I turned the wireless switch off--and I went so far as to remove the wireless NIC--and to my surprise, and everone else's disbelief (save this board) he (the perp who is in control of this virus/trojan, and therefore 100% in control of my laptop) still had very noticeable dynamic presence. I was stumped -- and just about considered psychiatric help.

But now...after reading and researching and dealing with my own personal menace -- who enjoys torturing me day after day -- at any hour and for any length of time (which to me us the most unbelieveable thing...I can see in some situations, scripts with automated responses can be used, but there are times when he is returning a volley of mine and it is just too well-tailored to be code-based...this type of a response can happen during any one of 24 hours in a day--so he is alerted when I do something or never sleeps....I would have to say that he cannot be much of family man given how much time he is at his PC).

In fact....even though he has been quite egregious in some acts (I caught that his name is Brendan) since he knows that I know about him, I will say that I am surprised I am even allowed to write this post on my the laptop in question because I am sure that not only does he know what I am typing at this second by virtue of having a VM-type screen on his monitor, or having a keylogger VPNed or on my disk....and to add more insult to injury, my new laptop has a built-in webcam, so he can probably see me furiously racing through the stack of books I have purchased in my losing battle with this trojan and the man or person behind it.

I have come close to really wiping all 250.5 GB of my drive, but since I do not have the HP driver installation recovery disks, I have not been able to do that. I do know now that on this laptop and on my old laptop, he would set aside X amount of disk space which I could never touch....I know that manufacturers use protected storage for a reason, but I have tried to use utilities to free up this protected area to no avail. My System Info stills says Capacity 238GB (250,547,000 B).

The only solution then is to wipe the entire drive and use the recovery disks (but do I need to tatoo the motherboard too?...that is one of my current questions).

But here the big news -- in my opinon --and some of you may have heard of this little before, but I was compeltely unaware of this vulnerability. The gang at MS knows about it (but the issue in quesiton is barely mentioned or discussed as far as I can tell), but from what I have experienced.... this should be a very big bug alert.....If this was not addressed (and apparently on a brand new laptop running Norton and Vista 64x it was not caught) who knows how big of a potential problem this could be....Ready everyone??????

When I first removed my wireless NIC on my own laptop, I assumed there must have been another RF device on it. How else could I explain the fact that he was still exercising some control. I did the same thing on this new laptop, also an HP (but this is not HP dependent), and had same problem....

Here is the key to the magic..... Bluetooth. This guy is using bluetooth from an any AP (as he is using UDP via IPv6) to connect first and control my laptop -- even though the data throughput for BT is only 1MB/s maximum...that is enough. And with development of BT in recent years, and with the right power behind it, the range can be up to 1 mile!

So the bottom line is that my trojan advertises not from the Wireless Nic, but from some BT device... something audio related as my audio never works unless I install the driver from the website (and boy does he get mad when I shut down the process entitled audiohg (but he has since found a workaround to this--he subsequently used some compoent of windows presentation, and now I do not know what he is doing). The trojan advertises my address and the radio signal picks it up. Given the range of bluetooth, it is impossible for me to hide from it -- no matter where I am, so is he). He quickly picks up this beacon, and whether I am with or withour wireless capability. He is incontrol of my laptop. Now if I really screw around with the drive and reformat it slow and install linux, then install XP unitl it crashes (because I have a SATA drive), then most of what he normally hides on my disk someplace is gone and it does take him awhile to get back to a level where he can do anything....including the use X11 or samba shares to destroy any refreshing expererience I could possibly derive from using Linux (Ubuntu). [I have logged on to a fresh install of Ubuntu Intrepid, and I am always pleasantly informed that I am not root.]

And while I would like to have this person drawn and quartered, I have to give him my respect for his thorough knowledge of windows server/client environments (NT, 2003, and 2008), Linux, all software, hardware, EVERYTHING. This guy is no slouch. But it underscores one thing. If he wanted to be purely malicious, he could have been. He is merely an annoyance and prevents me from doing many things when I want to. Many people would not even know he is there. But I like my system set up in a certain way and have been around windows long enough to know the way the "kernel" works.

So, though I know a complete wipe and reinstall will cure my problem. It would still give me great joy to defeat him without doing that. if someone can take me to the next step, I would be grateful.. Really, if I could only have an intimate understanding (as if it is a trivial thing) of the Vista/WIN7 registry, I could get rid of this guy in an hour.... but alas, I do not -- nor to very many others -- possess this knowledge.

But he does. And very well too.

Paul

The only thing I am going to attach in the way of diagnostics is a Sysinternals run of LoadOrd, which shows everything that is loaded at startup. But please anyone out there need something let me know. Also, my offer from a few months ago still stands: if anyone would like to get on the phone with me and Putty/Plink/SSH into my laptop and have a look see, I would love it.....


Columns are:
"Start Value" "Group Name" "tag" "Service/Device" "Display Name" "Image Path"

Boot WdfLoadGroup n/a* Wdf01000 Kernel Mode Driver Frameworks service
Boot Boot Bus Extender 1 ACPI Microsoft ACPI Driver
Boot Boot Bus Extender 2 msisadrv
Boot Boot Bus Extender 3 pci PCI Bus Driver
Boot Boot Bus Extender 6 vdrvroot Microsoft Virtual Drive Enumerator Driver
Boot Boot Bus Extender n/a* partmgr @%SystemRoot%\system32\drivers\partmgr.sys,-100
Boot System Bus Extender 7 Compbatt Microsoft Composite Battery Driver
Boot System Bus Extender 9 volmgr Volume Manager Driver
Boot System Bus Extender 10 volmgrx @%SystemRoot%\system32\drivers\volmgrx.sys,-100
Boot System Bus Extender 15 pciide
Boot System Bus Extender n/a* mountmgr @%SystemRoot%\system32\drivers\mountmgr.sys,-100
Boot SCSI Miniport 33 atapi IDE Channel
Boot SCSI Miniport 64 msahci
Boot SCSI miniport n/a* amdxata
Boot FSFilter Infrastructure 1 FltMgr @%SystemRoot%\system32\drivers\fltmgr.sys,-10001
Boot FSFilter Bottom n/a* FileInfo @%SystemRoot%\system32\drivers\fileinfo.sys,-100
Boot Filter 1 CLFS @%SystemRoot%\system32\clfs.sys,-100
Boot Base 1 KSecDD
Boot Base 2 CNG
Boot Base n/a* pcw Performance Counters for Windows Driver
Boot File System n/a* Fs_Rec
Boot NDIS Wrapper n/a* NDIS @%SystemRoot%\system32\drivers\ndis.sys,-200
Boot Cryptography 2 KSecPkg
Boot PNP_TDI 3 Tcpip @%SystemRoot%\system32\tcpipcfg.dll,-50003
Boot Extended Base n/a* storflt @%SystemRoot%\system32\vmstorfltres.dll,-1000
Boot n/a* n/a* Disk Disk Driver
Boot PnP Filter* 5* fvevol @%SystemRoot%\system32\drivers\fvevol.sys,-100
Boot n/a* n/a* hwpolicy @%systemroot%\system32\drivers\hwpolicy.sys,-101
Boot Network* n/a* Mup @%systemroot%\system32\drivers\mup.sys,-101
Boot PnP Filter* 2* rdyboost ReadyBoost
Boot n/a* n/a* spldr Security Processor Loader Driver
Boot n/a* n/a* volsnap Storage volumes
System SCSI CDROM Class 3 cdrom CD-ROM Driver
System Base 1 Null
System Base 2 Beep Beep
System Video Save 1 VgaSave
System Video Save n/a* RDPCDD @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100
System Video Save n/a* RDPENCDD @%systemroot%\system32\drivers\RDPENCDD.sys,-101
System Video Save n/a* RDPREFMP @%systemroot%\system32\drivers\RdpRefMp.sys,-101
System File system n/a* Msfs
System File system n/a* Npfs
System PNP_TDI 4 tdx @%SystemRoot%\system32\tcpipcfg.dll,-50004
System PNP_TDI n/a* AFD @%systemroot%\system32\drivers\afd.sys,-1000
System PNP_TDI n/a* NetBT @%SystemRoot%\system32\drivers\netbt.sys,-2
System NDIS 16 WfpLwf WFP Lightweight Filter
System NDIS 18 Psched @%SystemRoot%\System32\drivers\pacer.sys,-101
System NDIS 24 vwififlt Virtual WiFi Filter Driver
System NetBIOSGroup 2 NetBIOS NetBIOS Interface
System n/a* n/a* blbdrive
System network* 9* CSC @%systemroot%\system32\cscsvc.dll,-202
System Network* n/a* DfsC @%systemroot%\system32\drivers\dfsc.sys,-101
System n/a* n/a* discache @%systemroot%\system32\drivers\discache.sys,-102
System n/a* n/a* mssmbios Microsoft System Management BIOS Driver
System n/a* n/a* nsiproxy @%SystemRoot%\system32\drivers\nsiproxy.sys,-2
System Network* 4* rdbss @%systemroot%\system32\wkssvc.dll,-1000
System n/a* n/a* TermDD Terminal Device Driver
System n/a* n/a* Wanarpv6 @%systemroot%\system32\rascfg.dll,-32012
Automatic FSFilter Virtualization n/a* luafv @%systemroot%\system32\drivers\luafv.sys,-100
Automatic COM Infrastructure n/a* DcomLaunch @oleres.dll,-5012
Automatic COM Infrastructure n/a* RpcEptMapper @%windir%\system32\RpcEpMap.dll,-1001
Automatic COM Infrastructure n/a* RpcSs @oleres.dll,-5010
Automatic Event Log n/a* eventlog @%SystemRoot%\system32\wevtsvc.dll,-200
Automatic AudioGroup n/a* AudioEndpointBuilder @%SystemRoot%\system32\audiosrv.dll,-204
Automatic AudioGroup n/a* AudioSrv @%SystemRoot%\system32\audiosrv.dll,-200
Automatic AudioGroup n/a* STacSV Audio Service
Automatic ProfSvc_Group n/a* CscService @%systemroot%\system32\cscsvc.dll,-200
Automatic ProfSvc_Group n/a* gpsvc @gpapi.dll,-112
Automatic profsvc_group n/a* ProfSvc @%systemroot%\system32\profsvc.dll,-300
Automatic ProfSvc_Group n/a* SENS @%SystemRoot%\system32\Sens.dll,-200
Automatic ProfSvc_Group n/a* Themes @%SystemRoot%\System32\themeservice.dll,-8192
Automatic UIGroup n/a* UxSms @%SystemRoot%\system32\dwm.exe,-2000
Automatic MS_WindowsLocalValidation n/a* SamSs @%SystemRoot%\system32\samsrv.dll,-1
Automatic PlugPlay n/a* PlugPlay @%SystemRoot%\system32\umpnpmgr.dll,-100
Automatic Plugplay n/a* Power @%SystemRoot%\system32\umpo.dll,-100
Automatic PlugPlay n/a* wudfsvc @%SystemRoot%\system32\wudfsvc.dll,-1000
Automatic NDIS 14 rspndr Link-Layer Topology Discovery Responder
Automatic NDIS 15 lltdio Link-Layer Topology Discovery Mapper I/O Driver
Automatic TDI n/a* Dhcp @%SystemRoot%\system32\dhcpcore.dll,-100
Automatic TDI n/a* Dnscache @%SystemRoot%\System32\dnsapi.dll,-101
Automatic TDI n/a* lmhosts @%SystemRoot%\system32\lmhsvc.dll,-101
Automatic TDI n/a* Wlansvc @%SystemRoot%\System32\wlansvc.dll,-257
Automatic ShellSvcGroup n/a* ShellHWDetection @%SystemRoot%\System32\shsvcs.dll,-12288
Automatic SchedulerGroup n/a* Schedule @%SystemRoot%\system32\schedsvc.dll,-100
Automatic SpoolerGroup n/a* Spooler @%systemroot%\system32\spoolsv.exe,-1
Automatic NetworkProvider n/a* BFE @%SystemRoot%\system32\bfe.dll,-1001
Automatic NetworkProvider n/a* LanmanWorkstation @%systemroot%\system32\wkssvc.dll,-100
Automatic NetworkProvider n/a* MpsSvc @%SystemRoot%\system32\FirewallAPI.dll,-23090
Automatic n/a* n/a* adfs
Automatic n/a* n/a* AESTFilters Andrea ST Filters Service
Automatic n/a* n/a* Apple Mobile Device Apple Mobile Device
Automatic n/a* n/a* Bonjour Service Bonjour Service
Automatic n/a* n/a* clr_optimization_v2.0.50727_32 Microsoft .NET Framework NGEN v2.0.50727_X86
Automatic n/a* n/a* clr_optimization_v2.0.50727_64 Microsoft .NET Framework NGEN v2.0.50727_X64
Automatic n/a* n/a* CryptSvc @%SystemRoot%\system32\cryptsvc.dll,-1001
Automatic n/a* n/a* DPS @%systemroot%\system32\dps.dll,-500
Automatic n/a* n/a* EventSystem @comres.dll,-2450
Automatic n/a* n/a* FDResPub @%systemroot%\system32\fdrespub.dll,-100
Automatic n/a* n/a* iphlpsvc @%SystemRoot%\system32\iphlpsvc.dll,-500
Automatic n/a* n/a* LanmanServer @%systemroot%\system32\srvsvc.dll,-100
Automatic n/a* n/a* MMCSS @%systemroot%\system32\mmcss.dll,-100
Automatic n/a* n/a* NlaSvc @%SystemRoot%\System32\nlasvc.dll,-1
Automatic n/a* n/a* nsi @%SystemRoot%\system32\nsisvc.dll,-200
Automatic n/a* n/a* PcaSvc @%SystemRoot%\system32\pcasvc.dll,-1
Automatic n/a* n/a* PEAUTH PEAUTH
Automatic n/a* n/a* secdrv Security Driver
Automatic n/a* n/a* sppsvc @%SystemRoot%\system32\sppsvc.exe,-101
Automatic n/a* n/a* SysMain @%SystemRoot%\system32\sysmain.dll,-1000
Automatic n/a* n/a* tcpipreg TCP/IP Registry Compatibility
Automatic n/a* n/a* TrkWks @%SystemRoot%\system32\trkwks.dll,-1
Automatic n/a* n/a* WinDefend @%ProgramFiles%\Windows Defender\MsMpRes.dll,-103
Automatic n/a* n/a* Winmgmt @%Systemroot%\system32\wbem\wmisvc.dll,-205
Automatic n/a* n/a* wscsvc @%SystemRoot%\System32\wscsvc.dll,-200
Automatic n/a* n/a* WSearch @%systemroot%\system32\SearchIndexer.exe,-103
Automatic n/a* n/a* wuauserv @%systemroot%\system32\wuaueng.dll,-105

 

[pjvex386]

I forgot one thing

One more thing.... one thing this guy will not let me touch is the hiberfil.sys on the root drive. It is hidden. I can delete the pagefil.sys, but not the hiberfil.sys. As Administrator, I am not even allowed to look at the security tab.

See Screenshot below.

 

[YupYup]

Run elevated command prompt "powercfg -h off" and bam say goodbye hiberfil.sys, i would ditch the bonjour service as well if i was you.

 

[pjvex386]

Wow...nice.

I did that and it worked--no more hiberfil. But the three card monty game continues. Now the pagefile.sys is the file I cannot delete. First the pagefile.sys was hidden, so I did an c:\attrib -a -s -h -r -i *.* I got the following:

Unable to change attribute - C:\pagefile.sys

When I try to look at the properties, I get the same as I did for the hiberfil.sys. See screenshot.

I would be glad to get rid of those because those contain files that make his hijacking jobs a lot easier.....

Yup. Thanks for your response. I would like to rid my drive of those files (although i understand the utility of the pagefile.

My main question to you and to anyone (and everyone) is .... is there a registry setting where I can disable all bluetooth connectivity? Plus make this setting persistent, and not in a volatile environment.....?????


And Yup, I hate Apple's use of Bonjour...nothing but trouble. I have just reinstalled everything so many times, I forget about that. Anyway I clicked it away in HJT. Speaking of which, I thought I would paste my current run of HJT for anyone so that it may be assistance. I marked entries in red I am concerned about.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:40 AM, on 5/2/2009
Platform: Unknown Windows (WinNT 6.01.2981)
MSIE: Internet Explorer v8.00 (8.00.7077.0000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O13 - Gopher Prefix:
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\AESTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_8b2066212420dc24\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6152 bytes


Paul
​

 

[YupYup]

Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.

 

[darkassain]

Type "virtual memory" in the start menu it will show you how to turn off the pagefile, as for bluetooth there is a service that can be disabled for that.

not only that but you can disable the driver or unnistall it...
you can even unnistall the driver and delete the service...
as for the reason for pagefile not being assescible is more by desing as your OS and apps write to disk and back
this article should be a good start on that
http://blogs.technet.com/askperf/archive/2007/12/14/what-is-the-page-file-for-anyway.aspx

 

[pjvex386]

Thanks guys

Yup & Dark (and to others who may be reading).

I understand some of the basics of the pagefile--i.e. that it is virtual memory, and how windows uses it.

Perhaps I am just getting skiddish..... but that is also why I offered to let someone SSH to my PC... I have been posting about this particular issue since late February and it spans two laptops (again, my fault for reinfecting the second laptop).

But first, let me just get some foundational understanding since I have no benchmarks....

After deleting the hiberfil (and again, thank you for that command...honestly, I may have tried to use it before, but the files names in my system32 directory change quiet often), this is what my C:\ root directory drive looks like (using c:\dir /a). Can someone confirm that for Win 7, 64 bit, these are all common directories?

Volume in drive C has no label.
Volume Serial Number is A269-346A

Directory of C:\

05/01/2009 01:34 PM <DIR> $Recycle.Bin
04/05/2009 12:34 AM <JUNCTION> Documents and Settings [C:\Users]
05/02/2009 03:50 AM 4,024,258,560 pagefile.sys
04/04/2009 09:44 PM <DIR> PerfLogs
05/01/2009 05:13 PM <DIR> Program Files
05/02/2009 11:06 AM <DIR> Program Files (x86)
05/01/2009 05:13 PM <DIR> ProgramData
05/01/2009 01:34 PM <DIR> Recovery
05/02/2009 09:23 AM <DIR> swsetup
05/02/2009 11:05 AM <DIR> System Volume Information
05/01/2009 01:34 PM <DIR> Users
05/02/2009 11:07 AM <DIR> Windows
2 File(s) 4,024,259,457 bytes
11 Dir(s) 228,287,938,560 bytes free


Then...next is a log of the sysinternals diag app called TCPVIEW which I believed I posted here once before. Now at the time of this log I was on the internet, and was in gmail, and on another board in addition to this one. But there are so many IPv6 and UDP connections (which is another signature -- in my opinion -- of something being not quite right), that I wanted to get your opinion. I had mentioned in a post several weeks ago, that the use of the loopback adapter with ipv6 is a component to this as well.

[Note: Security Team is a board I was on when I ran this, and also, "Prague" is the name of my pc.]


TCPVIEW LOG/SNAPSHOT
AppleMobileDeviceService.exe:1460 TCP Prague:27015 Prague:0 LISTENING
firefox.exe:2580 TCP Prague:49383 localhost:49384 ESTABLISHED
firefox.exe:2580 TCP Prague:49384 localhost:49383 ESTABLISHED
firefox.exe:2580 TCP Prague:49385 localhost:49386 ESTABLISHED
firefox.exe:2580 TCP Prague:49386 localhost:49385 ESTABLISHED
firefox.exe:2580 TCP prague:51725 198.63.194.35:http ESTABLISHED
firefox.exe:2580 TCP prague:51730 icebridge-c.infospace.com:http ESTABLISHED
firefox.exe:2580 TCP prague:51761 iw-in-f19.google.com:http ESTABLISHED
firefox.exe:2580 TCP prague:51774 host-server1-support-securityteam.com:https CLOSE_WAIT
firefox.exe:2580 TCP prague:51775 iw-in-f19.google.com:http ESTABLISHED
jusched.exe:2416 TCP prague:49330 198.63.203.73:http CLOSE_WAIT
lsass.exe:528 TCP Prague:49156 Prague:0 LISTENING
lsass.exe:528 TCPV6 prague:49156 prague:0 LISTENING
services.exe:488 TCP Prague:49155 Prague:0 LISTENING
services.exe:488 TCPV6 prague:49155 prague:0 LISTENING
svchost.exe:1172 UDP Prague:llmnr *:*
svchost.exe:1172 UDPV6 prague:5355 *:*
svchost.exe:1504 UDP Prague:ssdp *:*
svchost.exe:1504 UDP prague:ssdp *:*
svchost.exe:1504 UDP Prague:ws-discovery *:*
svchost.exe:1504 UDP Prague:ws-discovery *:*
svchost.exe:1504 UDP Prague:49152 *:*
svchost.exe:1504 UDP prague:61501 *:*
svchost.exe:1504 UDP Prague:61502 *:*
svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:1900 *:*
svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:1900 *:*
svchost.exe:1504 UDPV6 prague:3702 *:*
svchost.exe:1504 UDPV6 prague:3702 *:*
svchost.exe:1504 UDPV6 prague:49153 *:*
svchost.exe:1504 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:61499 *:*
svchost.exe:1504 UDPV6 [0:0:0:0:0:0:0:1]:61500 *:*
svchost.exe:736 TCP Prague:epmap Prague:0 LISTENING
svchost.exe:736 TCPV6 prague:135 prague:0 LISTENING
svchost.exe:832 TCP Prague:49153 Prague:0 LISTENING
svchost.exe:832 TCPV6 prague:49153 prague:0 LISTENING
svchost.exe:832 UDPV6 [fe80:0:0:0:f1b7:192:5db4:4cf3]:546 *:*
svchost.exe:928 TCP Prague:49154 Prague:0 LISTENING
svchost.exe:928 TCPV6 prague:49154 prague:0 LISTENING
*System:4 TCP prague:netbios-ssn Prague:0 LISTENING
*System:4 TCP Prague:microsoft-ds Prague:0 LISTENING
*System:4 TCP Prague:icslap Prague:0 LISTENING
*System:4 TCP Prague:wsd Prague:0 LISTENING
*System:4 UDP prague:netbios-ns *:*
*System:4 UDP prague:netbios-dgm *:*
*System:4 TCPV6 prague:445 prague:0 LISTENING
*System:4 TCPV6 prague:2869 prague:0 LISTENING
*System:4 TCPV6 prague:5357 prague:0 LISTENING
wininit.exe:424 TCP Prague:49152 Prague:0 LISTENING
wininit.exe:424 TCPV6 prague:49152 prague:0 LISTENING

*What are these connections????


Lastly, as far as Bluetooth... First, are any of you familiar with this vulnerability or have you heard of it being used to implement full PC control? The microsoft bulletin is not that easy to find, but ut is here: http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx and an update to that buletin here http://support.microsoft.com/kb/951376

First thing (per microsoft) I have gone into the c:\windows\inf director and deleted every file that started with BTH (and there were at least 10), which had extensions of .inf or .pnf. I basically executed a del bth*.inf and a del bth*.pnf. But this did nothing... As far as a bluetooth service.... there may be one, but it is not a native windows service.

I won't list all of my running services now. But as I said in my first post, since day 1, a service related to audio was always running and I never understood why. I had never seen this in XP (nor Vista to the best of my recollection), and it seemed peculiar--especially because when I typically booted up, my audio would not work (the little speaker with the lined-through circle would be orange on my laptop panel). And from what I have read, since bluetooth is often used to connect to audio devices, I guessed that this was a source. I deleted the service and it caused a complete mess of everything. For example, I was denied access to my own root drive. Does there seem to be a causal relationship there?

But this audio service now does not run. There is another service, but I do not what it is, and there are too many non-native services for anyone to guess. What I might do (since I do it every two days or so anyway out of necessity) is reformat and reinstall Windows 7 from scratch. Then 10 minutes after that--without any program installations being done -- I will post my running services and someone can tell me if there is a "fly"

Paul

 

[Dwarf]

Hi Paul,

What is this swsetup directory?

 

[pjvex386]

Dwarf:

That directory is used by HP. It is where drivers are located and it is used in some recovery processes. I do not really use it or know about it because, as I said, I had to reformat this laptop about 3 hours after I bought it. I then installed WIN 7 (Build 7077) on it and then installed drivers from the HP website. But as you may know, HP does not include all drivers...which is why I had to pay and order for the disks so I can then wipe my drive completely.

EDIT: My mistake...ignore the remainder or my post (except the last paragraph is interesting). The search that I had done (discussed below), came up and I thought it said "C:\installer ". Actually the search was done on C:\ but the file I checked said "c:\windows\installer" which is legitimate.

See? I am getting so jumpy about this... I hate having to feel unsure whether I can or cannot do something on my own system. I cannot explain what I am experiencing...but it is the way the windows open and close... For instance I will install something, and an installer windows comes up, and then .1 second after that there is a slight tremor on the screen and then the installer dialog box comes up again. Besides all of the crazy files and GUIDs and encrypted bit masks all over the registry, it also feels like something is double-checking everything that is happening. And it is just too obvious when I install an antivirus application (and I have installed all of the applications listed on the Windows 7 page). It is the way the system will coincidentally hang. But it is not entirely random....my system behaves with a purpose. If I download and try to install an AV application on my laptop, it will hang as soon as I install it. BUT, if I take my laptop to an internet cafe, use another PC, download the same AV installer virus application, put in on a flash drive, then install it on my laptop as quick as possible after inserting the flash drive, the application will successfully install until completion....but then it will never update (again is this a coincidence?), or there will be certain options greyed out which I know should not be (see an earlier post where I mention this phenomena when I was using Kaspersky back in February).

IF I had the means, I would pay any of you or some MS security consultant to travel to me and just look at my PC and try to work on it normall for 1 hour. They would realize that there is a virus/trojan, and that it is or has completly taken over my system. But what I do not understand is the motive. So far, nothing malicious has been done. It is as if he is just using my bandwidth or something. I have not figured that out.


But -- something strange just happened -- I was in a windows explorer directory searching on all files with today's date as date modified. While this was running, I tended to some other things in other windows. I just looked back and saw this (see screenshot). It says there is a directory called "installer" located on C.

I am only aware of "dir /a" as a means for displaying hidden directories and or folders. Is there a not only a hidden but a super-hidden attribute NTFS has which would allow these files not to be detected? (this is a footprint basically....I do not know why Windows Explorer ended up like that....but it was part of this hijacking I am suffering.

The main other "footprint" that I see (and I have seen it about 500 times), is when I go to regedit. You know how regedit saves the last key you edited or were viewing? Well, the one thing this guy does not do is disable this feature, so I have seen where he has been countless times -- that is not to say I understand the keys he is changing, but unless windows as to move around in the registry like that and then the last place windows referenced the registry is saved and would typically come up when you entered Regedit.exe (which I highly doubt is the case in WIN7 as I have never seen that occur before), then it is this phantom, because it is not me.

Paul