I apologize up front that this will be a tad lengthy, but I need to detail the mess so maybe someone can offer up ideas...

Right after I installed SP2 from disk onto my Home Ed. XP two weeks ago, I got very badly hacked and had my system basically destroyed bit by bit by a malicious creep. Very ironic, no? cus SP2 is about security. He was hiding deep in a hidden user and lashed out when I found him trying to store his stuff on my PC and I started deleting it.

After I wiped and reformatted, the attacker was right back at me. Then I did a low level format, and again reinstalled Home XP and SP2. Even before I got on the net (dial-up only for now since my LAN was where the destructive attacker came from), strange things started up all over again.

My login box has runaway dots in every user I open, and I have to hit backspace a bunch of times to get the running dots to stop. Then my PC (not using the Welcome screen) asks for my passwords 3 times if I am online and logging on to use another name. It doesn't do that when
I am offline, but the dots still take off. (Dell had no idea what to say as they came back instantly after a complete system cleansing, and they have never heard of this). Also, my keylogger snooper sees nothing, but it sures seems fishy.

My Services settings in MMC keep changing from the "no unnecessary interactions with others" formulation suggested by many XP help sites, including Black Viper's (whose advice isn't always perfect, so I have enabled System Restore, for instance). In other words I am not disabling anything vital, so the System isn't doing this I don't think, having a meltdown or something, because of misconfiguration. The things that happen seem deliberate and sinister.

Very distressingly, when I try to expand Component Services, the MMC shuts down instantly. No other service does this (that's the one that would tell me my computer COM+ configuration). The Administrator and System are the only two users with full control of the WMI configuration. The root console is write-protected, or so I thought. But services AND permissions keep changing. I got kicked out of seeing my own documents under one limited user. There is an "unknown user" with a numerical name showing up on my permissions lists. System restore points I set vanish.

And like before I finally found the hacker recently, I now see duplicates of my screenames in Windows Explorer, like say mine is "User" and a new one is there "User:My Computer Name". Why is XP doing that? These new dupe names are not seen except in Explorer. The unknown guy is only in permissions.

I ran the Microsoft Baseline Security test and it came back saying that it couldn't access my registry. A day or so after reinstall XP told me I had to reactivate again (second time in 2 days) because so much hardware had been altered. (I went and looked, and I see all sorts of drivers that are new, esp. networking ones--) is this just SP2, and if so, why didn't XP say this last time I installed SP2?

And my main limited surfing name had its entire desktop wiped off again. And I cannot access the All Users profile, and Shared Doucments has disappeared and is now called Documents, inaccessible.

Norton AV has had two strokes. Zone Alarm keeps asking me if I want to allow Generic Host Process to be a server (NOT!), and there are scores of hits at the wall hourly (have not set up the router yet, as it was trouble too!) And the warning about other users on the system at shutdown is back- but I cannot see one in Task Manager of course, just that SVHOST is
ranked up enormously. There is also an unknown user in the security and applications logs, "N/A", but I cannot tell what he's doing.

PLUS there is a bunch of software popping up in my program files that I did not install. What's Xerox? Which part of XP installs MS FrontPage??

How could all this stuff be happening AGAIN!!? It started even before I got online!! I did a low-level format! I use Maxtor's software and it took like 3 1/2 hours. This after I had ALSO erased my system and private files with Eraser and had run the Maxtor utility to totally check every cubbyhole of my drive for integrity. Supposedly this was as healthy and clean as I could ever get this bugger. ANd I'm not on my old LAN, but AOL temporarily. I have new
names and passwords. My firewall is tight- and shows no intrusions! I know about and religiouly use every bloody piece of recommended protection software known to man!

Is it possible my SP2 disk has some malware on it that some nice MS techie snuck in? I'm sure they could bury code on some prints of it, the disk stamping crew wouldn't know it.... Just for the yuck of it,,,

None of this crazy stuff happened before SP2 install 2 weeks ago. I mean, though I was hacked before when I first got XP, a wipe got rid of him. And my experience with my invader is that he is one helluva a computer expert and has great fun undoing everything I do, then locking me out of
stuff, and finally wiping my files.

I am dead serious! If some guy is jumping on my machine like this ---third time now- and it's ONLY after I load up the SP2 that stuff starts going downhill, and then REALLY downhill once I get online, I wonder if the SP is phoning home to someone????

I'm upgrading soon to Pro anyway, cus I am plain fed up with Home's security, networking, and user limitations, but I would still appreciate comments. I think I'll be uninstalling SP2 off of Home damn soon though, as I never had problems until I installed it last month and want to see if they go away. I mean it's just too damn bizarre. And infuriating!
Thanks for any comments you can make.
Gal :(

Amazing! You have Zone Alarm that prevents anyone from calling home.... You are using dial up which means your connection is dynamic, yet a hacker can find you just like that? Amazing!

IMO the two conditions above rule out hacking. Have your CMOS/BIOS checked....

Download and install Access Manager 2.054
http://www.snapfiles.com/download/dlaccessman.html

From what I understand, it's easier to find you when you're on AOL (even with a dynamic IP) and a hacker can always target your specific firewall. But from what she said, the attacks came even before getting online? Any physical connections to the network? Wireless network cards?

Having the CMOS/Bios checked is a good idea, not only on the motherboard but the video card (I've seen mention of rootkits that claim to be able to store info on your video card's bios)

Since you are using XP Home, there's no Group Policy Editor, but you can make a lot of the same changes in the registry (http://home.covad.net/~zeiler07/gphome.html (http://home.covad.net/%7Ezeiler07/gphome.html) Careful!), which would be my highest recommendation.

If you haven't already, UNINSTALL file & printer sharing (control panel > network connections: right-click on your connections and select properties, select and 'uninstall' "file and printer sharing") Also,while you're in the Control Panel, go into Internet Settings and change the "Internet Zone", "Local Intranet", and "Your Computer" to 'high'

Some additional settings can be disabled easily with SafeXP (http://www.theorica.net/safexp.htm) including DCOM .. Widnows Worms Door Cleaner (http://www.firewallleaktester.com/wwdc.htm) is another good one, covers some different ground than SafeXP.

ProcessGuard (http://www.diamondcs.com.au) would stop things from running without your knowing and a lot more.

You can scan for malware using TDS-3 (same site as ProcessGuard) in safe mode, make sure to go into 'scan control' and select 'scan for clients\editservers', and of course make sure you download the latest update with it. Another one while you're on this site would be Port Explorer, see what's connecting out of your computer. You might take a look at their freeware, too.

You might think about using a different, less popular, firewall (temporarily.)


Prevx (http://www.prevx.com) may or may not be of help here, but it would alert you to (and prompt you to allow or deny) file activity in the windows directories and program files directories, as well as some buffer overflows.

You would probably want to make any of these changes offline, download the files at a friend's house if you have to. You can also set up the router offline, which would probably help. While offline you should probably change to some very strong passwords.

-{ Quote: "Download and install Access Manager 2.054" }- Better yet, don't keep your passwords on the computer at all.

Did you create an admin account with a complex password and did you create a regular user account for yourself?

Don't ever use admin, except for hardware changes.

Install XP without any network device attached (modem, network).

You may have a backdoor or a RAT( Remote Access Trojan ) on your computer.
There is a backdoor on your computer that is allowing a malicious hacker to compromise your system and control it remotely. The hacker may have some sort of method to bypass all the security programs on your computer.

Also, you state that you have Zone Alarm firewall installed on your computer. But did you configure Zone Alarm properly for optimal protection?

Hackers can do all sorts of things to your computer, I wouldn't be surprised if your CD-ROM drive popped open on its own when you did not touch it.

Also, you state that you installed SP2, is your copy of SP2 genuine? Pirated software should not be installed.

can you go into safe mode and scan your system with tds and ewido?

also for this beast I think norton is too light (not on resources but on sigs and detection)

you find a copy of ewido here:

http://www.ewido.net/en/

the copy of tds Notok has given you.

to be honest it is the second time I see this with someone and that in a month time. creepy, and dangerous damn damn damn...

if it really is on your vga card or in your bios mem then I think the only thing you can do is.... .... purchase a new mobo but this I am not sure.

-{ Quote: "if it really is on your vga card or in your bios mem then I think the only thing you can do is.... .... purchase a new mobo but this I am not sure." }-
If this is the case the BIOS can probably be re-flashed, but if you aren't 100% sure of what you're doing it's best to have a pro do it for you.

It is very difficult to "stalk" a dynamic IP on the net, much more hack the same system three times after being formatted.
IMO there are two types of people who do these things: Hackers & Script kiddies. The former are probably more skillful but need the proper motivation or incentive to want to hack into any system. (I do not see why any skilled hacker would want to break into a newly formatted HDD.)
The more probable type would be the script kiddie, a creature of opportunity that relies more on available scripts and apps that assist him in his endeavor. Being less skillful than the hacker, he surfs the net looking for opportunities and vulnerabilities by scanning entire subnets in the hope that an easy target pops up. The tools for these are readily available. In fact, there is one very popular app among script kiddies that searches for vulnerable systems and allows them to map the victims' HDDs into their own. (For you in the know, the app's name starts with an "L" and the latest version is v2.1.) All it really takes is to use a super scanner like Asm* to find Net-bios connections and then run "L"v.2.1 and your C:\ is mine. (No kidding!)
Now, given the above scenarios, what are the chances of finding the same system 3 times? IMO it has to be the CMOS/BIOS...

This person is very po'ed that I deleted all of his files he was hiding on my PC- so he's after me for sure.

I flashed my bios, hoping that will make a difference.


We'll see. :-\

Oh... OK....

I think it's over with now! All the craziness! Since I flashed the Bios and ran sfc.exe and installed some of those monitoring tools you all suggested (mine weren't up to snuff, I guess), I have had pretty much no problems at all! No one is knocking at the door (I got my DSL and router re-hooked up), my registry is quiet, and everything's darn cool again!

Yes, I am now convinced this WAS a BIOS embedded trojan that was screwing up my PC and somehow allowing the creep bothering me to get in.

Thanks guys! I'm still "turning Pro" soon, though, because I am plain fed up with Home's limitations overall.... ;D

Just found some good tips here, too:
http://securityadmin.info/faq.asp#harden

LOL, yet another one of those "superhacker broke into my computer despite a zillion precautions and a zillion methods of removal" stories.

I suppose it's one of those ultrarare bios or even microcode malware that you hear in rumours

No chance it's just user misindentification of a simple worm?

"There is an "unknown user" with a numerical name"

Partition a drive so that you have c:, d:, e: etc drives. Then install WinXP onto the c: drive. Put some files onto d: or e:. Now reformat only the c: drive and reinstall WinXP to the c: drive. Files on the d: and e: drives will now belong to a user from the previous installation of WinXP and will be identified by an SID number (long string of numbers which uniquely identifies a user). Reinstalling after a format can cause all sorts of user id conflicts on your drive and in the registry if you don't know what you're doing especially with simple file sharing disabled.

niche99

-{ Quote: "This person is very po'ed that I deleted all of his files he was hiding on my PC- so he's after me for sure." }-

I too read this thread and concluded this could all be explained as "symtoms" of certain facets of XP behaviour.That is with the exception of the above,highlighted comment.

What kind of files were they?

Where were they hidden?

Do you know a guy called Swami?He's a bit of a legend on the 'net.You should read his account of "The World's Worst Trojan".It's the stuff nightmares are made of...unless you have a best mate who has worked in computer programming all his life and can point catagorically to all the areas the tale falls flat.

Hope all is well with your computer now,anyway.Why not learn an alternative operating system?
Just to safeguard yourself?That way,when you get sick of all the exploits,and conclude Windows is no longer viable,the transistion wont be so daunting,if you have already familiarised yourself with GNU/Linux. Or Mac if you don't object to a complete hardware-overhaul.

Guys! When you catch the culprit that survived a BIOS flash, 3 reformats and homed in on a dynamic IP, please call it "HOUDINI...."

The attack ceased when I flashed the BIOS- apparently, code was hidden as a rootkit way down there, as suggested by some of you on here. It did NOT survive the flash. I quote some stuff from Process Guard's Help section- sure wish I had had PC B4 all of this nonsense!!!

3. Block Rootkit/Driver/Service Installation
This option protects you again unauthorized programs loading drivers and services on your system. A new breed of software has emerged which are commonly called Rootkits. These Rootkits are extremely dangerous since they hide themselves fully from the operating system and most of the time you will never be able to notice it is there. Rootkits are even a danger to ProcessGuard so you should have this option enabled.
If this option is enabled and an application you use wants to install a driver or a service it will be logged so you can see this. You can then determine if you want to give that application the ability to install drivers or services. A lot of security programs require the ability to install drivers and services, however be warned that giving unknown or non trusted applications the ability to install drivers and services can allow dangerous rootkits to be installed.


What is a kernel-mode driver?
Put simply, under Windows NT-based systems (including Windows 2000, Windows XP, and Windows 2003) a kernel-mode device driver is a 32-bit modular component that runs at a privileged level (known as Ring 0 to those familiar with Intel hardware) on the computer's CPU. As such, drivers run as trusted components of the kernel, virtually becoming a part of the operating system itself. See the Definitions page for a more detailed description.

Kernel & User modes
A Pentium microprocessor has four privilege levels, also known as rings, that control such things as memory access and access to certain sensitive CPU instructions (such as those related to security). Every thread executes at one of these privilege levels. Ring 0 is the most privileged level, with complete access to all memory and CPU instructions. Ring 3 is the least privileged level.

In order to maintain compatibility with non-Intel systems, the Windows operating systems support only two levels of privilege - Ring 0 and Ring 3. When a thread is running in Ring 0, it is said to be in kernel mode. When a thread is running in Ring 3, it is said to be in user mode. Low-level operating system code executes in kernel mode, whereas, in general, user application code runs in user mode.

Note that an application thread will switch from user mode to kernel mode when making certain API function calls that require a higher privilege level, such as those that involve accessing files or performing graphics-related functions. However, when the kernel mode code is completed, the user thread is automatically switched back to user mode. This prevents the programmer from being able to write instructions that run in kernel mode--the programmer can call only system functions that run in kernel mode.

The protection from Process Guard comes from its driver, which runs in kernel mode.


protects against all known "process based" modification attacks.


1. Protect Physical Memory
Applications that run with administrator privileges can actually access the physical memory on your computer. Every program you run is handled by Windows using "Virtual Memory" techniques which help to protect applications from one another. If an application can view or change the actual physical memory, then it has the possibility to change anything at all on the system which is in the memory. Obviously this is a major security hole which if not protected against, makes every single protection mechanism on your system vulnerable to attack.

ProcessGuard however provides protection against all these physical memory attacks by restricting applications access to it. If some application you need to use actually requires physical memory access (a few security programs and games do), you can allow that specific application to access physical memory. This means you get the full advantage of protecting your system from this serious threat, whilst still using the programs you currently use.

2. Block Global Hooks
Global Hooks are used to add extra functionality to the operating system. Some of this functionality is good and some of it is bad. For instance with a Global Hook a program can record all your keystrokes and mouse movements. Malicious software uses this to steal bank passwords and pin numbers, as well as to intercept emails and many other things. By blocking global hooks you stop the malicious software from being able to do these things, however many normal programs use global hooks so don't just assume every global hook is a bad thing.

If this option is enabled and an application you use requires global hooks then ProcessGuard will alert you. This will allow you to give that program the ability to install Global Hooks if you desire. Some applications are worse than others at handling not being able to install their global hook, so when in doubt you should always give trusted programs the ability to install Global Hooks. ..................
[3. is above]

4. Block Registry DLL Injection
Programs can add their DLL to the list which is stored in this registry key. Once they have added their DLL it will be loaded by 95% of the programs you run on your computer. This leads to a possible attack whereby malicious software can put their DLL into a trusted program and do unwanted things. You should have this option enabled all the time since mostly malicious software uses it. Some spyware such as CoolWebSearch (CWS) use this technique to make it extremely hard to remove from your system.

-{ Quote: "LOL, yet another one of those "superhacker broke into my computer despite a zillion precautions and a zillion methods of removal" stories.

I suppose it's one of those ultrarare bios or even microcode malware that you hear in rumours
" }-

ENOUGH! HOUDINI is dead! It can't be done yet!

Thinks for teaching us about kernal based rootkits :)

But a kernal based rookit does not = bios or microcode malware.

Okay Guys---

Now you guys TELL ME what the HECK is going on. I am obviously a newbie of sorts (but not THAT new) to computing and all of this crazy extreme malware stuff (having been pretty protected and educated overall for many moons without much hassle)---- MY F***IN system went south again!!!
Right after I thought I had the thing licked, and happily said so here, the same crap started happening- new drivers getting installed, me being locked out of services like Components, all my MMc and WMI setups getting altered, files and programs appearing (not in the open, but in deep hidden admin shares), etc. etc. (which can be found by looking at modifications in SEARCH, thank goodness).

And I have just about had it because I did YET ANOTHER full low format with Maxtor software, flash of the BIOS, install of Process Guard, Prevx, and umpteen other spyware and malware tools, a properly configured firewall, an up-to-date virus program BEFORE I got on the net- and BOOM- back in the trenches I was, fighting this unknown and undiscoverable (by normal means ) code. So now I am at six reinstalls.

I decided to hell with XP right now until I find out how to deal with this, where it is hiding, etc., so I am on ME now (my old OS) and only so I can research this animal further, knowing full well that this is a way temporary situation. And all the same crap is happening to me now on ME as well.

My confusion is about where this malware is hiding and what triggers it. It obviously isn't simply in the BIOS per se, cus it keeps reappearing despite redoing of that. And I can't tell if it is remanifesting when I jump online or when I import an old file from disk-- dumb me, I wasn't distinguishing or noting those steps properly.

I can say, however, that since I loaded ME I have not imported a dang file from disk and it's showing up, meaning the alterations mentioned above are going down still, so I have to believe it is the getting online business that somehow spurs its renaissance. Last night I went four hours with no problems, after my reinstall which followed my last (overly hopeful ) post here---and then right at a specific time (which I tend to think was when I got online) the monkey business started again. But I'm not sure.

The events, application and security logs show repeated infiltrations by "N/A" user shutting down and reconfiguring stuff- to wit, turning on remote access, UPnP, Web Client, etc. and the appearance of myriad files and tracks on the internet to sites I have never heard of (hacker sites, don't ya know)...on and on and on. Right at 9:30 or so, and my install was at 5:40pm.

Please guys, I have been trying to research this beast on the net and am running in circles it seems. I cannot eradicate this damn thing because I cannot find another situation quite like it. SHould I uninstall all my drivers and cards (video, audio, etc.) or what? Is every file of whatever type I have saved off site infected and causing the reinfection, and if so, can they be cleaned? I mean how do you trace this kind of thing??? How do beat it?

I do have some intersting IP info on N/A which I plan to investigate right now, but I wanted to post this PDQ too to elicit your expert help if you'll grant it.

I have read elsewhere that there is no solution. That even the experts cannot figure out how these newest rootkits or worms or whatever they are operate- their stealth and caginess seems to elude even the brightest safe crackers.

What should I do?????

And please boys, don't belittle or tease or make snide comments. This is serious sh*t to me- my life's work may be polluted now.
HELP!!!!!! :(

Galcoolest, I have sent you a private message offering my services...

come on guy's she's female and in trouble, I have to help... ::)

Sorry folks- can't diddle at this moment with proper quoting, cus I don't know how!- but here are some excerpts from the trojan section about these "super trojans" ---and my comments right after....
8888888888888888888888888888888888888888888888888888888888888888


From: A guy at Experts Exchange (posted by Starrob)

So I need a new BIOS chip, probably.
Only thing is that I already bought a new mainboard, memory, CD ROM, hard drive, video card and it still came back. So I don't wanna waste the money unless the box would be guaranteed completely clean. Plus, this means that initially, whatever kicked it all off had to be stored somehow on an original PnP component that has a driver that I didn't replace. These are:

3.5 Floppy
ThermalTake 9 Fan
Keyboard
Mouse

BTW...did an install of XP Pro from a new factory OEM CD
and this did not help.

Oh...once installed, it seems to create a virtual duplicate drive for your floppy and CD ROM drives. I can see this because I can't connect more than one floppy drive when I should be able to connect two, and no slave CD/DVD drives are allowed...to do so means blue screen.
Probably explains why FDisk and all the other dos utils don't work, becuase the version on the disk is not the version that's actually running. Rather, the one on the virtual disk is.

On the plus side, I did figure out how to disable it before it installed all it's nastiness, by going in thru Recovery Console after a fresh install and getting rid of certain things that should not be there. However, who knows if this would keep someone out if I connected it to the net again?

Way too weird.
Maybe it isn't a hacker at all, but Microsoft's little monitoring tools in play. But there's so much I experienced while living with this individual I suspect that that's much harder for me to believe than anyone who reads this.

So still unsure what to do to clean my box completely. A co-worker suggested I write a C++ program to write direectly to ROM...just don't have the time to do this at the moment.

P.S. ewall..u want the script? I have it, but trust me, you probably don't want it.

See, this is the problem with Windows. As they keep moving us farther and farther away from the base level, fewer folks know what to do when someone who makes it their purpose to know how to exploit the cracks tunnels down into them.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
From Paranoid 2000:

BIOSes are system-specific. While trashing a BIOS is relatively straight-forward, writing a piece of malware that can alter a BIOS to replicate itself while not affecting other BIOS functions would be a true masterpiece. It would either have to be very system-specific (e.g. targetting Dell Inspiron laptops only - greatly limiting its spread) or include the ability to perform a comprehensive analysis of BIOS code to identify a good insertion point.

The example given is ridiculous - not only does this "super trojan" alter drive interfaces, but it also includes a copy of Linux, can overwrite read-only CD-ROMs and presumably fouls up the local coffee machine too. The only remotely plausible explanation is that this PC is being continually re-infected by another system on their LAN.

Malware can survive a reformat by creating a hidden disk partition and installing itself there - but FDISK should detect it, and allow you to remove it.

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
from Controler:

think if you look back on my old posting you will see me almost always mentioning for you to reflash your BIOS, FDISK, then reformat.
Some paople can't just wipe their hard drives for critical info but they can still reflash their BIOS.
I have seen a few hard drives that would not work unless they were low level
formated first, then formated normaly.
The newest thing lingering on the net Blaze is the ability of nasties to hide on the Video card memory I believe.

On a side note after reading the post at the link Starob posted. I wonder why the dude didn't just pull the little itty bitty MOBO battery out for a while.
Then the only data left in his BIOS should have been factory non reflashable data not including any rootkit. Yes he would have to reset all his BIOS settings again but that is far cheaper thejn buying a new PC.
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


From : Starrob
If this thing was possible, I am quite sure that it would be talked about a lot more on the blackhat sites but it appears the script kiddies have more mundane concerns like how to keep their trojans hidden from existing scanners and how to keep from being detected by firewalls.

I am quite certain that there are extremely bright people out there that might have built a super-trojan (possibly different governmens?) but I am relatively sure that those trojans capabilities are far less than the "super-trojan" in the article.

Anyway...I doubt the super-trojan could defeat PG v3 as it stands right now. I think PG is a BIG problem for those trying to install trojans on a computer. Nothing is 100% but I believe PG would be extremely difficult for a large percentage of the computer gurus to beat.

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

First off guys--- this IS being talked about all over the place- and I am in such a bloody rush right now, I cannot go hunt down links, my apologies (the links were on my last XP installation, the saved files for which I don't want to access right now...)

Secondly, even doing a manufacturer-supplied low level reformat (Maxtor made my mobo and I used Powermax) with fdisk and repartitioning in new ways did ZILCH to get rid of this.

Third-drives and drivers and components of all varieties seem to come and go so mysteriously that I cannot keep track of what is supposed to be there and what is bogus- duplicates abound, and it's practically impossible for someone like me to weed the real from the imposters.

Fourth, I may not be a pro but I am no idiot, and I have never seen or experienced this kind of poisoning in my 10 years of "consumer computing". It's outrageous. What you guys have said about "c'mon, give me a break, can't happen" is outdated, hate to tell ya. IT CAN AND IS HAPPENING. Get out your slingshots, but I am witnessing it. >:(

Hi Galcoolest

The best advise i could give you is to post in the Processguard forum (http://www.wilderssecurity.com/forumdisplay.php?f=13) here at Wilders (since you are a costumer), they are expert's in the field of trojan/rootkit's and would able to assist you much better than most other would be able to. I hope you find the course of this. :)

Regards

She's in a rush and she wrote all that. One fast typer.

Jimbob

it's called "copy/paste"

But that doesn't mean she can't type fast ::)

anyway, glad to have pg3 that is for sure. I am wondering what jason would say about it...


If this is was on my machine I would get a third leg from it I guess, a long third leg...from the frustration it would give me... ;D

-{ Quote: "
Fourth, I may not be a pro but I am no idiot, and I have never seen or experienced this kind of poisoning in my 10 years of "consumer computing". It's outrageous. What you guys have said about "c'mon, give me a break, can't happen" is outdated, hate to tell ya. IT CAN AND IS HAPPENING. Get out your slingshots, but I am witnessing it. >:(" }-

What I clearly meant was that a SUPER HACKER finding you three times in the net after three reformats, a dynamic IP and a firewall that filters outbound packets was a statistical improbability.

But if you say that you are having one of those really rare hardware/software conflicts that are manifested in the ways you stated, then this perhaps is a more credible premise that a lot of members would love to dissect to death IMO.
In fact, these conflicts have become more and more common place and are even caused by utilities and apps that were installed to help the user.... The processes have evolved to become so complex that no one knows for sure what some specific files are for or if they can create conflicts within the system.

IMO on the average, a system can have 30-40 processes running in the background (excluding infections ::) ). Add to this apps that protect the registry plus apps that protect the protector and so forth and so on... then you begin to realize the potential for chaos. When a member gives an opinion that his/her experience with a certain app was favorable or safe, it does not in any way give that app a 100% fail-safe tag for the simple reason that there are several factors that may still have to be encountered: Configuration Errors, Failure to Handle Exceptional Conditions, Design Errors, Boundary Condition Errors, Input Validation Errors,etc.

Even conflicts arising from "straight from the box installations" is common place... What I am saying is there can be several logical explanations to your problem but a Super Hacker is not one of them.

I agree, this is starting to sound like an problem for truely expert help.

BTW, galcoolest, are you using the paid version of PG? It's only the paid program that will stop drivers from installing.
And for godssake, get OFF ME.. it's MUCH easier for these things to directly affect your hardware while running Windows 9x/Me. Getting XP Pro would defintely help in being able to set restrictions to curb some of these behaviors.

A couple things that we need to know:
Are you physically disconnected from any networking while reformatting? Remove the cables until everything is completely done, if you have any wireless adaptors then pull them out until you get this resolved.

Are you getting any kind of alerts from Prevx or ProcessGuard before this stuff happens, or does stuff just start to happen? As asked above, are you using PG free or paid?

Have you scanned with TDS-3 in safe mode? Did it turn up anything?

I'm almost starting to wonder if this isn't a physical threat. Do you lock your desktop when you leave the computer, etc? This is another area that XP Pro will help, you can turn on auditing to get logs of when there are logons and other changes related to security.

If you are worried that it might be something hiding out on your video card, one thing you can do is hit up your local thrift stores, they will often times have crappy video cards for practically nothing.

Still_longhorn: Keep in mind that on AOL all they really need is the username.. they have utils that will wait until a username pops up and report the new IP, sometimes initiating the attack automatically. I've actually heard stories from the other end of this type of attack before..

to gallcoolest: do you have any brothers? or some roommate working on your puter? is this you own puter? I stand by Notok, saying a limited user account is one of the safest things to do for surfing the web while your power account is only for installing things and ONLY then uncheck block drivers/rootkits/services if you have the full app.

you can try ssm which is free and gives a lot of security.


bye

Another utility for the next time you reformat is nLite (http://nuhi.msfn.org/), this will let you remove some of the vulnerable components of Windows while creating a new install disk.. services, etc, can't be turned on if they aren't there to begin with.

Also, don't install any instant messengers if you can avoid it.

May I suggest having Shields and Ports tested from this site - it may answer some questions - https://grc.com/x/ne.dll?bh0bkyd2

Thanks for the replies guys-

The deal is that of course I unplug every bloody thing before I do the wipes and reformats, have no wireless anything, and have been using PG paid version (for a whole day!) And yes both Prevx and PG went bananas with me, but it was always in conjunction with Windows or Outpost or other updates, as I wasn't grabbing other stuff off the net, so I thought the permissions I gave were appropriate (NOT!). ANd I have run every darn bit in Safe Mode, done netstats, cacls, shut down registry changes, you name it. Nothing works,

This is my concern actually: I reloaded from disk (cds) Prevx, Outpost, PG, RegWatcher, Eraser, SafeXp, CwShredder, HijackThis, Spybot, AdAware, Ie-SpyAd...but didn't run them all, just got around to installing Prevx and PG. ME meeded 21 updates, which wouldn't download or install at first, until I tweaked the sentries just mentioned. WHatever. I decided to go with ME for a day in the hopes that the damn bug was embedded in WinXP and I could at least know that much.

No such luck. The same crazy stuff is happening on ME- though, of course, I have no way of documenting it like in XP--- it's evident though from having created a secondary user here on ME that something is dicking with the PC, cus when I try to log out it hangs bigtime, etc. ANd drivers I don't recognize are getting installed surreptitiously (different ones, but not ones I saw before), and strange software is showing up again- interestingly, without any notification from PG or Prevx!

I need to clarify: there isn't a hacker I can personify any more- my initial run in with all of this included an actual person who had his files (photos, music, code packs) on my PC- and as some of you know, personally destroyed my PC before my eyes when he found out the I HAD FOUND OUT about him hiding on my machine, and had deleted his files. ( Mind you, I saved a bunch of them, even though many were encrypted, and let him know the Feds were on it...).

No now I am dealing strictly with trojan(?) malware- there isn't a physical., personal intrusion that I can see. Just crazy launching of code (scripts) which you can see by the times logged as happening simultaneously, within a minute, and no human could do that- change all your WMI and MMc stuff instantly. No it's a bundle of software that's being released.

I cannot, though, figure out if it's triggered by something the Administrator does (in Home, he's the only one who can tighten the bolts), or reinstallation of say, Prevx or another program from disk, or the act of getting back on the Verizon Lan (cus this whole business has been connected to the LAN---the hacker was masquerading as local and then network service)- like is there some corrupt asshole who works for Verizon doing this??? I am not on AOL now (was there for a short bit last night out of frustration)- and have a Linksys router, properly configured, with my DSL.

As I am no techie, but also no fool, I have tried to suss out the source as best I can and am getting nowhere. Of course I know ME is insecure, but I don't care, cus this is a purely diagnostic install-to see if the **** is going on cross-OS- and it is, I believe.

I have been looing thru googling for insights, and have seen sporadic recent mentions of this crazy sort of irradicable nuisance (an example of which I posted above). I personally believe there IS SOME SORT of super nasty code being dumped around on certain machines, esp. one like mine: a typical, consumer, bonehead, mediocre Dell- the owners of which, in general, have no clue about this sort of thing and make perfect targets for stoolie machines in the schemes of malfeasants.

What I am trying to ascertain, esp. after reading that folks who have so much more knowledge than me are considering making their PCs garden art or door stops in the face of this stuff, is whether someone, some resource of geekabrains, has any clue how to 1) eradicate the monster and 2)clean what it's polluted? Can you all even send me to a (yikes) "professional" outfit ($$) that could evaluate the cost/benefit analysis of this mess? (Screw the PC- I want my files cleaned!)

Thanks my friends. I am not a beginner on the security stuff. This is way odd. This is SCARY ODD.

Not doubting you, galcoolest, just wanting to see what's been done.

At this point I would definitely say it's time for both expert advice and some head clearing. Since you've bought PG you are definitely entiteled to some of the best support you can get :)

1) Get DCS' advice on the matter

2) Print out the page with the policy registry changes (you can disallow things like allowing actions to be performed with alternate credentials, etc.. I know there's a lot of stuff you don't care about on that page, but go over it with a fine tooth comb) .. http://home.covad.net/%7Ezeiler07/gphome.html

3) Download the WWDC and every other piece of software you can think of and burn them all to disk. Even if you don't think you'll use everything you download, you can at least have it on hand. You might also think about something like The Ultimate Boot CD for some diagnostic purposes.. http://www.ultimatebootcd.com/
If you can download and burn these from someone else's computer, all the better.

4) Most importantly: clear your head and come back to it with a clear strategy.. print everything out, turn the computer off for a few days until you can think about it without getting panicked or angry. I just had a weekend filled with frustration from what seemed to be an impossible problem, after spending several hours pounding my head I reformatted and the problem didn't go away. After forcing myself to get away from it, reading some Terry Pratchett (fantasy parody writer, for those that don't know, impossible to read without at least cracking a grin), etc, I came back and solved the issue in 2 mins flat. I know your problem isn't going to be that easy, but clearing your head is going to be the most critical aspect to dealing with this.

If you absolutely cant turn the computer off, you might consider getting a copy of Knoppix, or another LiveCD Linux distro, to use for a little while, and unplugging the power to the harddrive while you use it. That would at least let you get online to browse and such until you can sort things out. Getting away from the computer all together is my recommendation, however.

Galcoolest,

Based on the information you have supplied so far, I would make the following observations: A full format and Windows re-install should wipe almost all malware. But how are you formatting? The best method of wiping your system is to either boot your system with a (write-protected!) floppy Windows recovery disk and type format c: at the A:> prompt or to use the Windows Recovery Console (see Description of the Windows XP Recovery Console (http://support.microsoft.com/kb/314058/EN-US/) for instructions) to do a format (if you choose this route, try a fixmbr also to overwrite your boot partition in case that has been altered). Any other hard disks on your system should either be disconnected or formatted also (if you have overlooked these previously, they could have caused a reinfection). A fresh Windows install is highly vulnerable to being compromised. It is therefore critical to ensure (at the least) that a firewall is installed and configured before connecting to the Internet. You will not have time to download critical Windows updates before your system gets compromised. Now this is a catch-22, having to have downloaded software before being to connect to the Internet, but in your case I would suggest (if you have not already done so) downloading your preferred firewall, antivirus/antitrojan scanners and other security software (including a replacement for Internet Explorer - like Opera or Firefox) using a friend's PC, a work PC or even a cybercafé and burning a copy to CD (assuming there is a CD-writer available). When you have copied the software onto CD, close the disc (this should be an option in the CD-writing software) to prevent anything further from being written to it. This should ensure the CD copies are and remain virus-free (given your previous posts, it would be safer to assume that any current CD-ROM copies you have are potentially infected). Are you installing using a Windows CD, a manufacturer-supplied "recovery disk" CD or a recovery partition on your hard drive? If from CD, they should be malware-free but if from a recovery partition then this could well have been compromised. In this case, beg/borrow/steal a Windows CD from somewhere. Once Windows is installed, configure the firewall to only allow essential applications (email, web browser) access - nothing else (if you are using Outpost, then consider setting it up as detailed in A Guide to Producing a Secure Configuration for Outpost (http://www.outpostfirewall.com/forum/showthread.php?t=9858) to ensure that its settings are locked down hard). Set up your other security applications. Only when you are sure that everything is configured, should you attempt an Internet connection.

Thanks for all your input, folks. First off, I have been aware of and utilizing GRC's many cool tests for years- I pass as "true stealth' and "that's unusual for a Win OS machine" is always added- (manually configure ports, etc.). And I am a single, no kids gal with not a soul-ever- getting near my machine, so physical intrusion is impossible. (I'm so paranoid, that even though I live alone with two cats, I have my Bios and system locked by passwords, JUST in case some neighborhood kid should EVER wander up to my office, etc.) LOL.
I know all about the recommended strategies- the pack of software one should use (mentioned before), the ups and downs of the various browsers (duh the DOWNS of the big one, but I had so much much trouble with Firefox and Netscape that I settled for MyIE2[Maxthon] locked down tight])--the crummy AVs and the worthless firewalls, etc.

That's why I am so incensed. I haven't had a speck of trouble for months- I don't even get but 2 spam mails a week- and then right after , a day after, I finally got coerced into installing SP2 (which I was not keen on, let me tell you), this nonsense started. ANd had I not freaked and deleted the original intruder's files, I doubt the rest of this would have ensued.

I really ticked him off- I erased literally hundreds of files, and the unerasable (encrypted) config files I simply messed with to the best of my ability-trying renaming, cutting, pasting, etc. etc. I messed his scene up for sure, having found him luckily when he was offline, (with time to offload my new stuff cautionarlily) and he proceeded to burn me to the ground after that- step by horrific step, I watched my PC fry.

So I threatened him with the Feds, and I thought he was gone. But then, for the past two weeks or so, I have been stuck with this "virtual" monster, executing code that wipes my authority, my access, my files, etc. And the rest you know--- I can't seem to get rid of it!

I appreciate all of your suggestions, but trust me, I have been very conscientious and with a high degree of education on security- no matter, unfortunately. There isn't squat that is keeping this creepy infiltration from manifesting- none of my soldiers can see it or stop it- it's scarier than all get go.

Hearing some say it may warrant chucking the metal box into the garbage isn't that surprising to me now- it's looking nearly hopeless.

BUT: I am a civil rights attorney-really-and we tend to be damn hard core combatants. I won't go down without a fight! So my brave mercenaries, let's get this enemy of freedom and peace! Surely somehow our heads put together can vanquish this infidel! ;D
\

-{ Quote: "Still_longhorn: Keep in mind that on AOL all they really need is the username.. they have utils that will wait until a username pops up and report the new IP, sometimes initiating the attack automatically. I've actually heard stories from the other end of this type of attack before.." }-

Aaahhh....! The plot thickens.... From Super hacker to the conspiracy theory.... for that to happen, AOL has to be part of the hacker's data base...

C'mon guys! Let's stick to conflicts and incompatibilities...!

BTW, PG prevents installation of new processes regardless if its the paid or free version. The difference is that the free version can only protect one application.

The only way to resolve this is to eliminate all the speculations and guesswork by starting with DCS ASViewer:

galcoolest, please post your asviewer logs (with your permission mod....) so we can see what has been loaded into your PC at start up....

ASviewer: http://www.diamondcs.com.au/index.php?page=asviewer

Next: Please download the evaluation copy of TUT fromhttp://www.answersthatwork.com/TUT_pages/TUT_information.htm

These cute app will point out conflicts & potential conflict areas in your system....

I cannot stand these old IE browsers! I go to look for something, and boom- minutes of typing is poof!!!

So- rather than my long answers to you all---- Quickly, I reformatted the first time by doing the debug routine (Dell fed me it), fdisk, repartition--- no go, animal was back. SO Dell had no other ideas, and I figured out thanks to our pals at Google (is that the sh*t or what? Gosh I woulda killed for it in school!) that I needed my hard drive manufacturer's software, and got the Maxtor offerings- did low level (3 hour) formats, repartitioned in lots of different ways over the course of SIX reinstalls - having run Eraser first, mind you...----and STILL THIS IS ON MY PC!!!!

And now it's there even in ME!!!!!!!!!
C'mon folks, I am not imagining this. 666 is clearly written on this one. I've never seen anything like it. Chucking the damn metal box is looking like a good idea, I must say. >:(

If you have anything suspicious in your start up log, someone in this forum will find it... Then we can start discussing solutions....

You're a lawyer galcoolest! At least give us the logs (proof) to work on. Hearsay won't stand in court. 50 posts about Asmodeus being in your computer won't make it a reality...! Post the logs!

If u are dealing with a hacker - U might like to do a little test of ur ports and shields to find out how ur computer is being accessed.

https://grc.com/x/ne.dll?bh0bkyd2

Results of each tests will be given to u online.

Well the deal is : I am on ME right now, and beginning to think I was hyperventilating about the Beast being on here too. However I shall show what's going off in start-up (nothing unusual) but want you all to look at the drivers lists- sure seems like way more drivers than I recall in ME.

I'm really beginning to think my best bet is to just order the Pro upgrade online now (was going to wait til I got back to CA in a few weeks---leaving hellish FLA for the coolest spot in the USA, where I'm from, San Fran [NEVER call it FRISCO!]. Could snag it cheap there- Cheap as in, who me? I'd never do that!) But I have been screaming bloody murder about HOME since the day I got it- what a lousy configuration it is, a total pain. I'll bite having to pad Bill's pockets again....

So I'm thinking, until Pro gets here in a couple of days, I'll just hang with ME cus nothing obvious is wrong and even if something is, I wouldn't know it really, and what I don't know can't hurt me, right? LOL. Kind of like it was advised -- I'll take a breather. Just hang out on the terrace here- let the infuriations of the XP mess go by the wayside for a while. Ignore the car horns and smog. Contemplate the shrubbery.

When I reload XP, it will be after another complete low level format and BIOS flash and OF COURSE, as always, I will configure all the security before daring to get online. I am gearing up with all the downloads you guys suggested and fresh versions of my old crew, too. I do have the SP2 disk, which I gotta load, damn it, but them's the breaks . I have had serious problems with it since day one, not this turmoil only, but super rigidity of the system, software conflicts and meltdowns, etc.

Actually I have all the HOME updates from June-SP2 on disk, but I have simply had it with HOME and feel the added functionality, configurability and security of Pro will be a huge relief. I mean, in HOME it's black or white only- no inbetween usability- and ltds [which I have surfed under for safety- ha ha ha, lotta good all that cautionary behavior did for me after all ] can't even download software updates!!!! It sucks all around. I'm not gonna reload HOME. Screw it.

So, my point is that I'm asking you all to wait til I get Pro and then we'll see what happens, ok? I am consciously putting nothing on this PC now or planning on saving anything - I'll just forward things to my web email if I need to save em (Links, emails, whatever). I agree I need a vacation from the nightmare of being naked and powerless on my own PC as is the case under HOME-- loitering on ME is pleasantly uneventful! ;D

Thanks everyone for yor thoughtful comments and suggestions. Will send along the start -up crud from ME asap. But my Home burned down as far as I'm concerned.
PS: Quick question-- Is the Pro upgrade like the Home upgrade in that you can upgrade or CHOOSE TO DO A FRESH INSTALL? Sure hope so!!!
PPS. I have had exactly 4 hits on my firewall in the past four hours.... ;D

Since you are already a DCS customer have you considered looking at Port Explorer. That way you can monitor incoming and outgoing traffic.

Now what may be a naive question. I am running ZAPro and have tested it at GRC's site plus several other sites, and it shows all stealthed. Also I have run PCFlanks Exploit test which tries to attack the computer with stuff that would crash it. ZA passes. My question is even if someone knew your username(AOL or whomever) could they really attack the computer. Might screw up surfing maybe like a denial of service attack, but could they get to the computer itself.

My infiltration was probably through the Linksys BEFSR41-which was disasterously flawed and not patched by them until August. Many folks on LANs were basically open season for creeps who knew of the vulnersability. My firewall never saw a thing. I also have ZA Pro right this second (Outpost was on XP, but ZA is fine for now over here on ME, for today, my being too lazy to configure Outpost tonight).

I am with you on this Still_Longhorn

It is difficult for me to believe in super-trojan theories. If I had something this complex was on my computer I would not be in any forums looking for the answer. I would be emailing people like KAV, NOD, Jason and Gavin at DCS, Ewido, A2, Trojanhunter, BoClean and even Nautilus and let them all have a look at it.

I would go straight to the experts. The people in these forums are smart but most do not have as much experience as the people that are making a living at this writing software to counter these threats. It is doubtful a solution to something this complex would be found in this forum.

I suggest going to the experts and coming back with their answers to what they think is wrong. I am sure others would like to know the resolution to this problem.


Starrob


-{ Quote: "You're a lawyer galcoolest! At least give us the logs (proof) to work on. Hearsay won't stand in court. 50 posts about Asmodeus being in your computer won't make it a reality...! Post the logs!" }-

OK. Since the start up logs cannot be posted for everyone's benefit, I will nevertheless stick out my neck by saying: There is no Super Trojan or Super Hacker involved here! It goes against my grain to even speculate without the start up logs as basis but here IMO, are the pertinent facts:

1. These all started after an upgrade to SP2 for Win XP Home;
2. Super Hacker ruled out because of the statistical impossibility of a hacker finding the same HDD/PC that has undergone three reformats, a BIOS flash and a change in ISP provider, plus a FW that prevents anyone from calling home;
3. Unknown drivers being loaded inspite of PG; (IMO, these unknown drivers should read as corrupted/unstable drivers brought about by application conflicts)

#1 tells me when
#2 tells me how and where (conflict area)
#3 tells me why galcoolest's system is acting that way

The what is kind of tricky but I'll stick out my neck with a hypothesis:

I agree that an upgrade to XP Pro will eliminate the problem not because Pro is inherently better but because when one uses Pro, the default login is Admin, whereas the default for Win XP Home is "owner". IMO opinion, upgrading to SP2 using "Admin" as the default instead of "owner" (possibly used during the original installation) has created all the conflicts! LOL!

OK, all you techies, you were all taught not to argue with a hypothesis in Science 101, but to test it! LOL

I am serious! IMO it is a conflict that is causing all these and the use of a password other than the default used in the original installation of XP Home can create this Input validation error. I could be wrong but it seems more logical than the Super Hacker/Trojan theory....

;D Better than the HOUDINI, ASMODEUS/666 theory I'd say! Though not as mystifying LOL! ;D

At the risk of being way off base here, I have been having alot of the same problems since Sp2. I was going to PM someone about it, but, since you are here I will copy it here!

Marja

Text to follow instead!

Hey guys! Here is my story -

A while ago I noticed services being turned back on after I was logged off, new programs that I didn't even know what they were for!!!

There is a thread in Software and Services, "Conflicting Apps", #35, Oct.30,2004 by me, it was something I saw on the Admin Apps Event Viewer. it seemed to be a "person" saying they could cause a security event if they didn't impersonate the user's "moves".

The "person" was put in WMI to log on in the LocalSystem? I found the "name" HiPerfCooker_v1, in Google which led me to MDSN library. It is supposed to be some super counter for MS.
There were other "names" "talked about, I also found them to be MS programs.

They are programs WAY above my head, but, I thought maybe that is her problem, mine too, and a few other people on Google.

So, it sounds like conversations and sneaky stuff, but maybe because we don't have any idea what they do or are? It is irrritating that the services I want off get turned on all the time, but, I think it does have something to do with SP2, That is when my problems started. So far not major, I keep diggin around to find out stuff, but, It is all beyond my puter knowledge!!

Most of it is visible in the Event Viewer, and she said her viewer was going crazy with "un-wanted " persons loggin on to her computer. Me too, why? who knows I hope some one can find out,
Well, that is what I have found out so far, I keep looking, but, it seems clear to me it is MS and XP2, and by the way, all the people I have read about so far have Dell puters!?

LOL! It is a crazy story, but, tell me how to show you my Event Viewer logs, and you might figure it out like that!!

Well that is basically it, most of the stuff she says is bothering her is my problem too.

I found alot of it at the MDSN library, but I don't know what else to do?

Marja8)

It's not just any services, it's all the remote services, it's some kind of transfer service, "they" log on even after I log off, I am on dial-up. Just like if someone WAS using your computer along side and after you get off.

But, everything I could look up led me to that library? With what sounds like a logical sounding program, except I don't want it using my computer.

Could MS and one of it's own programs(SP2) conflict with each other? MS complains that I am logging off when other people are logged on, NO. It keeps saying I am a workstation, NO. See, like the basic prog doesn't even know what the new one is doing?

I just thought it would be someplace to start, and she isn't the only one.

Thanks for your time!

Marja8)

Are you both using OEM CDs when reformatting?

In the mad scramble to come up with the perfect system, we have all been guilty of installing apps that have become more and more beyond our comprehension. And powerful apps at that! Apps for this, apps for that, apps for everything including changing the color of our bathroom sinks.

As the system configuration grows more complex, we unknowingly create the very thing we've been trying to avoid... vulnerabilities. Worse, these apps have created conflicts among themselves that an estimated 65% of computer problems have been attributed to conflicting background tasks (http://www.answersthatwork.com/TUT_pages/TUT_information.htm) rather than on hardware, viruses or malware!

These problems are inevitable! (If Ad Aware finds Spybot as a threat, can you imagine the conflicts we are not aware of?) The countless problems when installing Win XP SP2 are seldom encountered during a clean installation. What does this say? Simply that third party apps can create these problems... yet these apps were installed to help us not create chaos...

This may be a bit off base but relevant nevertheless to debunk Super Hacker theories... Besides, if I were a Super Hacker, I'd go for Fort Knox instead of MP3 copies of my favorite band... LOL

Yep! Useless pieces of plastic too, they are missing alot of stuff! Right off hand I can't think of what, of course! But, I really had a hard time, I finally got this new hard drive, but, still OEM.

-{ Quote: "
I just thought it would be someplace to start, and she isn't the only one.
" }-
I never doubted that there were problems... just the reasons presented...

When causes are demystified, they somehow become less interesting.Is this why there is this insistence to pursue the Hacker/Trojan/Kill Bill theory?

Where has everyone's logic gone to? 6 X 3 may be the same as 3 X 6 but a Venetian blind is not the same as a Blind Venetian! We are looking at symptoms here... not causes. Find the cause and the solution is not far behind.

Here are most of the names:

A trusted logon process has registered with the LocalSecurity Authority and will be trusted to submit Logon requests: (for OTHER progs!)

Rasman
Chap
\LSASRV.dll
WDigest
Lanman
KSecDD
scecli
DCOMSCM
\kerberos.dll:Kerberos
o.dll:NTLM
Schannel
WinLogon\MSGina

Also, sometimes they just use ID#'s. 0x0.0x3E5 - 0x0.0x3E4

Hope this will keep you til tomorrow!! This is most of them I am sure!
I will gather the other progs that just run amok, then.

Thanks for your time, guys!

Marja8)

I am going off-line in a few, but will wait if you have questions:)

At the risk of being off, allow me to give the following as an example of potential chaos: WinLogon.exe vs. WinLogon.exe.... Which one is the integral part of the Windows O/S? Which one is the W32.Netsky.C@mm virus?

Windows NT4/2000/XP/2003 Logon application whose full path is either C:\WinNT\System32\Winlogon.exe or C:\Windows\System32\Winlogon.exe. This process manages users’ logons and logoffs on your PC/Server. The window which pops up and prompts you for your username and password, or which allows you to logoff or shutdown, is the WINLOGON process.

If you have Windows NT4/2000/XP/2003 and the full path for this task is C:\WinNT\Winlogon.exe or C:\Windows\Winlogon.exe , then you may have the W32.Netsky.C@mm virus, or a newer virus. If you have Windows 95/98/ME then you definitely have either the above virus or a newer virus.

AOL in an MS directory, duplicate file names... etc. the potential for conflict is everywhere.... Should we be surprised at the chaos in our systems?

Do you think ya have enough homework??:D I'm signing off!! :)

I'm signing off now, hope you got enough work!:D

Hmmm.... this looks very interesting. I would very much like to know the entrance door. Let me know and I would write something to detect it.

Perhaps this may lead to something...
1) turn on O/S audit trail log
2) install a real time pc audit trail logger (like pclogger) to try to determine when did it happen.
3) run a disk snap-shot AFTER you have determined that the PC is cleaned 4) investigate if there is any strange ip activities using tools like ethereal or ipticker

You can use the checked version of the Kerberos.dll (client) or Kdsvc.dll (domain controller) file and a registry modification to output Kerberos debug statements to a debugger. For optimal reporting, use both checked files on domain controllers. When using symbols of Kerberos DLLs on Windows 2000, the debugger reports a warning that there is a mismatch in the checksums between the symbol and the corresponding executable image.

Access violation in Lsasrv.dll causes server to become unresponsive. When you attempt to add computers to a domain during Windows NT Setup after you have installed the updated Lsasrv.dll file (Lsa-fixi.exe or Lsa- ixa.exe) on the Primary Domain Controller (PDC), you may receive the following error message: "A...."

Discusses how to use the RPC Ping utility to troubleshoot connectivity issues for Outlook 2003. The PRC Ping utility is included with the Windows Server 2003 Resource Kit Tools.

KSecDD
You may receive the following STOP error message on a blue screen: STOP 0000001e (c0000005 f1b51f4b 00000000 80152e00) KMODE_EXCEPTION_NOT_HANDLED in KSECDD.SYS Note that the preceding STOP parameters may vary. This problem can occur when you are...
The cluster node performs a random bugcheck and you receive either of the following error messages: STOP 0x000000b8 ATTEMPTED_SWITCH_FROM_DPC (b8) A wait operation, attach process, or yield was attempted from a DPC routine. This is an illegal...

This article describes how to restrict the use of certain cryptographic algorithms and protocols in the Schannel.dll file. This information also applies to Independent Software Vendor (ISV) applications written for the Microsoft Cryptographic API....

This article describes ways to troubleshoot and to resolve SCECLI 1202 events. The first step in troubleshooting these events is to identify the Win32 error code. This error code distinguishes the type of failure that causes the SCECLI 1202 event....

WinLogon\MSGina: Gina must be an MS programmer


It seems like parts of the NT source code have appeared in your monitor. I'm afraid that there is no Super Hacker/Trojan here... Just bits and pieces of files used in programming NT....

::)

One thing I forgot about that might be worth doing is going into TDS-3, click "scan control" and tick "Scan for Clients/EditServers" THEN scanning in safe mode.
Also run WWDC if you haven't already.

longhorn: I know what you mean, but we can't rule it out completely yet. There ARE tools for doing what is being described, no matter how far fetched you may think they are. Some of the names mentioned by Marja are IIS related, which is used by worms and direct attacks alike. If they had access to gpedit things would be a lot easier. I just don't see anything being ruled out completely yet. I believe that between SafeXP and WWDC at least some of these components can be disabled easily.

sekuritas: agreed, although I'm not sure you can turn on auditing in XP Home, and PortExplorer is probably the more user friendly alternative to Ethereal and such.

-{ Quote: "I'm signing off now, hope you got enough work!:D" }-
Yeah.... Look at the posting time.... all of about 30 minutes....

0x0-0x3e4 also points to IIS..
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.WhatIsAWindowStation
-{ Quote: "The practical point of having window stations is to avoid luring attacks from daemons1 against an interactive user. If a process running under a low-privilege account can send window messages to a highly privileged program, it can take control of that program. For one example of how this can be done, read WhatIsALuringAttack. Because window station boundaries normally parallel logon session boundaries, this helps prevent this sort of attack." }-(this explains securing these things, but hopefully we can just get them removed)

-{ Quote: "Here are most of the names:

A trusted logon process has registered with the LocalSecurity Authority and will be trusted to submit Logon requests: (for OTHER progs!)

Rasman
Chap
\LSASRV.dll
WDigest
Lanman
KSecDD
scecli
DCOMSCM
\kerberos.dll:Kerberos
o.dll:NTLM
Schannel
WinLogon\MSGina" }-These are all names of Windows system processes - I'd suggest that you've enabled too much logging on your system which is why you are seeing all these reports. It would be better to restrict logging to authentication failures rather than successes to avoid this. Rasman - Remote Access Service Manager. Chap - Challenge Handshake Authentication Protocol (used to verify via user/password your identity to an ISP when you connect to them), see RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html) for more details on this standard. \LSASRV.dll - Local Security Authority Server, used to check and verify security requests. WDigest - this is an authentication mechanism introduced in Windows XP for web pages, see What Is Digest Authentication? (http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_digst_what.asp). Lanman - Local Area Network Manager, handles file and printer sharing and supports an older (and weaker) method of authenicating network users used by Windows 95/98 systems. KSecDD - "Ksecdd is a very thin component that NTFS calls to communicate with the LSA. Ksecdd is used to set up local procedure call (LPC) communications to the LSA." taken from How Encrypting File System Works (http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_efs_how.asp). scecli - "Provides client side interfaces to the security configuration engine and does Resultant Set of Policies (RsoP) logging during policy propagation." taken from How Security Settings Extension Works (http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gpssp_how.asp). DCOMSCM - Appears to be a utility for the Microsoft SQL (Structured Query Language - a standard for searching databases) Desktop Engine. See Microsoft SQL Server: MSDE 2000 Features (http://www.microsoft.com/sql/msde/productinfo/features.asp) - even if you have not installed the SQL DE yourself, you may have a Windows component or application that has. kerberos.dll - Kerberos is a method of authentication using keys, see What Is Kerberos Authentication? (http://www.microsoft.com/resources/documentation/windowsServ/2003/all/techref/en-us/w2k3tr_kerb_what.asp) for more details. o.dll:NTLM - an authentication protocol, see NTLM (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prdp_log_hghx.asp) for more info. Schannel - "A security package that provides authentication between clients and servers." taken from MSDN Security Glossary (http://msdn.microsoft.com/library/en-us/secgloss/security/s_gly.asp). WinLogon\MSGina - WinLogon handles user logins, running GINA (Graphical Identification and Authentication) which creates the Ctrl-Alt-Del login prompt that appears on startup. This can be replaced if you wanted to use an alternative method, e.g. biometrics. See MSGina.dll Features (http://msdn.microsoft.com/library/en-us/secauthn/security/msgina_dll_features.asp) for more details.-{ Quote: "Hope this will keep you til tomorrow!! This is most of them I am sure! I will gather the other progs that just run amok, then." }-All of these are "standard" Windows processes. While it certainly is possible for some to be compromised by malware or trojans (and some spyware uses similar file names to appear legitimate), their existance and activity is by no means an indication of problems on your system. If in doubt, a Google search on the filename (adding the term site:microsoft.com to restrict results to Microsoft's own website) should provide more details - this is pretty much what I did to find the links above.

The JSI FAQ 2139 » What is the module/service load order of a 'typical' Windows 2000 domain controller? (http://www.jsiinc.com/SUBE/tip2100/rh2139.htm) article should give a pretty good idea of how complex a "typical" Windows system can be under the hood (which is one reason why fully securing them is all but impossible). You can simplify things by shutting down unneeded services and Black Viper's (http://www.blackviper.com/) site is the best source of information here - but do take things a step at a time since disabling certain services can prevent key tasks like network access.

Also see this Usenet Have I been hacked if... (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&frame=right&th=a9cbd588f9c21fa0&seekm=025d01c35aaf%246791a240%24a301280a%40phx.gbl#link1) thread for another example of legitimate activity causing concern.

-{ Quote: "
longhorn: I know what you mean, but we can't rule it out completely yet. There ARE tools for doing what is being described, no matter how far fetched you may think they are. Some of the names mentioned by Marja are IIS related, which is used by worms and direct attacks alike. If they had access to gpedit things would be a lot easier. I just don't see anything being ruled out completely yet. I believe that between SafeXP and WWDC at least some of these components can be disabled easily.
" }-

Most of the names mentioned by Marja are debugging tools/modules used in developing NT!

Some things don't change and the most basic consideration in this business is motivation.... We are discussing here a system that allegedly calls home, a Super Hacker /Trojan that has survived 3 reformats, a Bios Flash and what else. C'mon. Much as I would like to be entertained by such possibilities, the motivation to do so simply does not exist. You've heard rumors to that effect. I've heard the same rumors. But that's exactly what they are! Rumors!

We cannot insist on attributing super powers to these sleazeware because there is no motivation on their part to acquire these capabilities. Yet. Some things don't change. A super hacker would never break into a system because some gal pissed him off by deleting his MP3 files. C'mon. I can come up with a better scenario. A script kiddie would be a more likely candidate but he won't have the skills to develop such a super Trojan. In the real world, social engineering would be a more effective means to break into a system. Not a trojan application but rather a real live insider breaking into a system from within.

A direct attack would also seem plausible but this would involve DoS to force a core dump and retrieve shadow passwords but then the question arises: What for? A recently reformatted HDD? LOL! C'mon!

What's that you say? It's a dry run? A test? An attack on a poor damsel in distress? Try my IP address: 192.168.0.1 because a Super Hacker's target will be a hundred times more impregnable. LOL! Testing galcoolest's IP is not a real test!

Nah! There's no logic in the Super Trojan line of thinking. I wish there were so things would really be exciting but I'm afraid there's none.

-{ Quote: "
WinLogon\MSGina: Gina must be an MS programmer

::)" }-

I should have looked this up too, but i thought it was already pointless after the first few hits that turned up common window processes. My apologies... :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ :-[ ;D

Hi All

Firt off, I always mention here to reflash your BIOS before repartitioning and fornatting.

Next unless all these issues are resolved by now here is the

MS page that lists pograms broken by SP2



http://support.microsoft.com/default.aspx?
kbid=884130&product=windowsxpsp2

AS you can see Zonealarm and Norton are both listed. If you have one of these programs on your computer that does not like SP2, how would two or three on the same system react?
Are all these problems with SP2 being caused by every software maker wanteing to have a low level driver? I don't know.

Bruce

-{ Quote: ";D Better than the HOUDINI, ASMODEUS/666 theory I'd say! Though not as mystifying LOL! ;D" }-

Have we considered the possibility that Longhorn is the superhacker that is in galcoolest's computer and he's trying to confuse the issue?

LOL. But yes, I agree fully with your guess.

maybe she has a computer with multiple personalities, it is called schizzoputer and It is not cheap to have one...:lol

have a nice eve.

I am curious how this evolves....

-{ Quote: "Have we considered the possibility that Longhorn is the superhacker that is in galcoolest's computer and he's trying to confuse the issue?

LOL. But yes, I agree fully with your guess." }-

;D ;D ;D I can just read the headlines!

Super Hacker breaks into civil activist lawyer's computer to retrieve MP3 files that were deleted just to piss him off! Said lawyer has engaged the services of Wilder's Security Forum members to establish prima facie evidence of the crime! There was an uproar in the local DShield.org office who has claimed jurisdiction over the case. However, the lawyer inadvertently filed her complaint with the Feds, much to the confusion of everybody concerned. No names were mentioned in the charge sheet to protect the identity of the suspected Super Hacker.... ;D ;D ;D

Well DUH!! I knew they were MS progs. What I need to know, Notok and Paranoid is how to keep these busy-work services, and the remote services OFF! As soon as I turn them off, sooner or later, they come right back on. Even after I have logged off.

If MS wants to run all this junk on my computer - maybe they should upgrade it and pay for it! LOL!

If I am on a dial-up, how are they logging on as I log off?
I guess I would also like to know what they are doing? It's not like I am running huge science or math projects, geeez!!

Any help is appreciated, sorry no Super Hacker Still_Longhorn, it would be more fun, huh? :D

I dunno, right now this looks to me like a matter of having IIS running (running webserver, etc) and being exploited. It's more than possible that Dell decided to put IIS on their XP Home installs (IIS is not supposed to even be on XP Home) and someone happening along these services running. I know that SP2 has a flaw that will essentially broadcast your network info if you have file & printer sharing running.. this doesn't sound to me like either a super hacker or super trojan, but something acheivable by script kiddies.

This is why I recommend completely uninstalling File & Printer Sharing (as described earlier in the thread) to begin with. Next step would be to go into add/remove programs > windows components, and look to see if "Internet Information Services", "asp.net", or "application server" is listed there anywhere and uninstalling it if it is.

Look, longhorn, I'm not just looking for drama here.. I like troubleshooting. It doesn't matter to me what the root of the issue is, as long as it gets fixed. One of the ways you do that is to start ruling out the widest range of issues that you can and then work your way down.. sometimes it takes a while to get down to the information that's useful enough to solve the problem. Outright criticism of the users responses rarely helps in this. If you have some helpful ideas other than "what you're saying isn't possible, you're a moron" then I'd be glad to hear it. (I'll strike that.. I know my methods haven't been exactly meticulous in this thread, but give me a break, alright? It's not like I've got any SOP docs to go on. We'll get there, though.. sooner if someone that actually has experience with what's being described jumps in.)

-{ Quote: "It's not just any services, it's all the remote services, it's some kind of transfer service, "they" log on even after I log off, I am on dial-up. Just like if someone WAS using your computer along side and after you get off.

But, everything I could look up led me to that library? With what sounds like a logical sounding program, except I don't want it using my computer.

Could MS and one of it's own programs(SP2) conflict with each other? MS complains that I am logging off when other people are logged on, NO. It keeps saying I am a workstation, NO. See, like the basic prog doesn't even know what the new one is doing?

I just thought it would be someplace to start, and she isn't the only one.

Thanks for your time!

Marja8)" }-

Slowly, the picture is clearing up... The common denominator here appears to be SP2. There appears to be too many horror stories encountered AFTER the installation of SP2 in systems with third party utilities in place. I still have to come across the same problem where a "clean" installation was involved. What does this say? Obviously, the presence of conflicts brought about by third party apps that were supposed to make our systems more secure !

From what I've read so far, it seems that many of your remote services are enabled without your permission thus leading you to believe that someone other than yourself has control over your computer. Being security conscious, I assume that you have set these services from automatic to manual start up at the very least. In effect, what you have really done is prevented these services from running upon boot. However, you have not prevented other applications from starting these services when the need arises. A conflict can trigger this need (who knows what really goes on under the hood?). To prevent these services from being activated by other applications, you may have to set their start up type to "Disabled."

Here's a link for that...
http://www.pcwelt.de/know-how/extras/103039/

-{ Quote: "As soon as you install SP2 on a Windows XP PC with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall. This also applies to all other services. The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN. Users of DSL services are also affected, if a firewall is not integrated into the DSL modem or a common modem instead of a DSL router is used. Additionally, Internet Connection Sharing of the PC has to be disabled." }-
(this applies to sp2 being applied over sp1)

Notok,

There is an IIS something running, MS keeps trying to get me to d/ld .NET, but, it is already on my puter at around 59MB. So, I don't know what that is about. Do you want me to give you names of what is starting up? Like someone here said, maybe they are turning on services it needs?

IIS had to re-register .ASP NET to get IIS to run, also they needed something with .NET CLR Networking. Down at the bottom of the box there are messages in a smaller box. Let's see the ISAPIS search service was successfully removed, then later it is successfully loaded again?? See, it sounds like an ant colony with no winter coming???

Things get unloaded, loaded, but I am usually not on-line so???What is the point?

You need to get the IIS components completely removed.. they shouldn't be there unless you are running a server. One of those "extras" that MS should have made admins install seperatly if needed.

I have to go to work very soon, try to get that stuff removed and post what you've done and what you can't figure out. Screenshots are helpful. I'll look more into it when I get home, if needed.

I didn't even WANT SP2 yet, I was waiting for the CD, clicked on auto updates to d/ld a patch, left it on and the next day I had SP2. It was really glitchy at first too. I had to go through the whole thing turning on or off things that had been changed. I had no audio, I had to flash my bios too. Pretty much any annoying thing you can think of it did?

So, I had ZA as a firewall then too. Hmm, so are they saying it doesn't matter if you are on a dial up, it acts as its own server? I heard the Pro version has that, not home!! Wow, it certainly isn't serving me, sorry Still_Longhorn, but it DOES sound like a dry run for something when you think of all this busy work!! LOL!

I'll leave you deep thinkers alone, wish I could somehow just show you what the boxes say, I might miss something writing it down?

Think I will find those progs you said to use, Notok and Paranoid.

Thanks!! :)

You've gotta go into add/remove progs and uninstall this stuff.. I'm guessing there's a lot of crap in there that isn't doing you any favors. I'll try to post screenshots tonight.

-{ Quote: "
So, I had ZA as a firewall then too. Hmm, so are they saying it doesn't matter if you are on a dial up, it acts as its own server? I heard the Pro version has that, not home!! Wow, it certainly isn't serving me, sorry Still_Longhorn, but it DOES sound like a dry run for something when you think of all this busy work!! LOL!
" }-

Most internet applications try to act as servers if allowed to! ZA, Naviscope, etc.

Aww... Shucks! close to 10 years of computer security experience down the drain because of a Sandra Bullock movie...! LOL! Oh well....

BTW, I suggest you D/L TUT from http://www.answersthatwork.com/TUT_pages/TUT_information.htm before you run off to look for spies under your bed... and the closet...the garage... and don't forget your neighbor's basement. As I said in a previous post, when you find it, call it HOUDINI... Happy hunting guys!

-{ Quote: "
I'll leave you deep thinkers alone, wish I could somehow just show you what the boxes say, I might miss something writing it down?
" }-

Use a screen shot!

You can look under the beds and closets, I'll look in Add/Remove! Gee, and you look like such an innocent kid!!:)

Thanks, Notok!! It will be fine, I'm sure!! :D

Later, Marja8)

Visited this link http://www.pcwelt.de/know-how/extras/103039/ and read about so much crap and half truths:

-{ Quote: "As soon as you install SP2 on a Windows XP PC with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall. This also applies to all other services. The PC only has to provide sharing for an internal local network and connect to the Internet via dial-up or ISDN. Users of DSL services are also affected, if a firewall is not integrated into the DSL modem or a common modem instead of a DSL router is used. Additionally, Internet Connection Sharing of the PC has to be disabled." }-

The default for Windows is the bundling of services, hardware and protocol. When SP2 is installed, all previous defaults are re-enabled including Printer/File sharing, Plug and play, and Net BIOS. Most hackers look for Net BIOS vulnerabilities as this is the most common one. In fact, the Legion v2.1 can scan the net for the presence of Net BIOS and map any system's drive found to have it with a simple click on a button. Therefore, Net BIOS and file/printer sharing have to be unbundled (as they are not needed) in most cases.

-{ Quote: "A number of test scans run by PC-Welt revealed that this in fact is a common configuration and not a rare sight. Without great effort, we were able to discover private documents on easily accessible computers on the Internet. It must be assumed, that these users wrongly believe they are safe and that their sharing configurations are only visible in their network at home: Often, we did not even encounter password protection." }-

Duh? This is not rare because of the "lightning won't hit me" attitude of most internet users. Or just plain laziness. I have seen too many systems that simply use the default passwords provided by windows. In fact, in Hacking 101, the first passwords tried are the known system default passwords and in many cases this will suffice. Another fact is that in 1 out of 20, passwords are the same as user names. Plain laziness or just plain stupidity!

-{ Quote: "You can look under the beds and closets, I'll look in Add/Remove! Gee, and you look like such an innocent kid" }-

Yeah sure! I worked on a Criterion 8500 (NCR Mainframe) when I was 20, (too old by today's standards) so I am starting my daughter young... she's 2 and well on her way....

-{ Quote: "Thanks, Notok!! It will be fine, I'm sure!! " }-

It should be! There's nothing wrong.... No offense intended. ::)

-{ Quote: "Well DUH!! I knew they were MS progs. What I need to know, Notok and Paranoid is how to keep these busy-work services, and the remote services OFF! As soon as I turn them off, sooner or later, they come right back on. Even after I have logged off." }--{ Quote: "You can simplify things by shutting down unneeded services and Black Viper's (http://www.blackviper.com/) site is the best source of information here - but do take things a step at a time since disabling certain services can prevent key tasks like network access." }--{ Quote: "If MS wants to run all this junk on my computer - maybe they should upgrade it and pay for it! LOL!" }-Windows - like every other complex operating system, has overheads. Housekeeping needs to be done, features need to be supported, hardware needs to be monitored. If all this complexity bothers you, then remove Windows and install DOS (or FreeDOS (http://www.freedos.org/)) instead. No background processes there, just drivers, TSRs and the struggle to free up as much of the first 640K of memory as possible.-{ Quote: "I guess I would also like to know what they are doing? It's not like I am running huge science or math projects, geeez!!" }-Pardon me for being a little blunt here, but my previous post had 10 links which would have given you plenty of information. Given that I spent over half-an-hour digging up those links, at least you could have the courtesy to spend a few minutes checking them out...

Imagine your home network. Imagine the file/printer/resources sharing enabled in your trusted home network environment. This is the environment Windows was made for. Nice & cozy, right?

Now, extend this configuration to go across the street, then the next city, next country. Great, right? Now everybody in your family can access files across the street, next city, next country....

Unfortunately, this works both ways... the ease by which anyone in your family can access data across the street is the same ease that whoever lives across the street, can access all your data. Bummer, you say?

Welcome to windows! This is what we had when the World Wide Web came into being and they're just beginning to play catch up!

MS doesn't want an estimated >250,000,000 users calling Support for instructions on how to turn on certain features of Windows so they left these features on by default. Great for MS. Score 1 for the baddies! LOL!

-{ Quote: "Windows - like every other complex operating system, has overheads. Housekeeping needs to be done, features need to be supported, hardware needs to be monitored. If all this complexity bothers you, then remove Windows and install DOS (or FreeDOS) instead. No background processes there, just drivers, TSRs and the struggle to free up as much of the first 640K of memory as possible." }-

Best advice thus far! Windows XP is a very complex system developed to be everything to everybody. Who knows what the smallest bug in its code could do? or the minutest conflict? When MS developed it, third party applications were the least of their considerations. SP2 was long overdue and by the time of its release, millions of systems had third party apps in place... And most of you expect a trouble free upgrade to SP2? C'mon! For crying out loud! It's easier to check for conflicts than to look for imagined spies. Rule out the conflicts then I'll join you on your spy hunt...!

-{ Quote: "
Look, longhorn, I'm not just looking for drama here.. I like troubleshooting. It doesn't matter to me what the root of the issue is, as long as it gets fixed. One of the ways you do that is to start ruling out the widest range of issues that you can and then work your way down.. sometimes it takes a while to get down to the information that's useful enough to solve the problem." }-

And what do you think I've been trying to do? I've been reading between the lines. Have you?

-{ Quote: "I know that SP2 has a flaw that will essentially broadcast your network info if you have file & printer sharing running.. this doesn't sound to me like either a super hacker or super trojan, but something acheivable by script kiddies. " }-

SP2 does not broadcast file and printer sharing... but any network scanner worth its weight in salt can determine the presence of file/printer sharing (whether or not SP2 is installed)... Thus, the fault is with Windows for making it the default and the user for leaving it enabled.

Any hacker, script kiddie and alert Sysad will always test for this vulnerability. This is relevant only when one needs access to an entire network (as this feature provides the means & infrastructure) but useless to hackers or script kiddies where stand alone systems are concerned.

Lesson learned, I'll keep the rest of my responses private.

For chrissake Notok! This is a forum where there can be as many points of view as there are participants! There were no attacks on personalities... just on the ideas/points discussed.

No offence meant or taken, longhorn, but I will take my end of the convo to PM to further avoid the complicated miscommunications I see developing.

If you have further sources for me to explore, I would greatly appreciate it. :)

Guys--


I was not able to be online since Tuesday- and notice much more input has been ingregrated since then- have to read it all carefully and assimilate.
I agree, this is all most probably an SP2 conflict, not some Super Hacker- but as a relative novice it sure looked that way. As I am now on ME for the quiet of it all, I'll read up, learn and get back to you folks.

Thank you people SO MUCH for your generous level of response and insight- I am so impressed and grateful at the outpouring of help you are offering.

I will get back here ASAP as soon as I clear up some email priorities and can read what all you all are telling me.

Thanks again,

Gal

Well, I sure didn't expect to find such enthusiasm still going on! :)

Paranoid, I have nothing but respect for you and read your posts all the time to learn what I can!! I am sorry if my flippant attitude angered you???

Your information on the progs and the links are full of information, as you said, unfortunately, I am still learning all of this, most of your links will take alot more time for me to understand and learn from. I am still very much a newbie at the what, how and why of computers!! You have given me a fine gift, plenty of homework learning about something I really want to understand!!

Still_Longhorn, I don't know you, can't understand your "frustration"? Some of us would rather not talk at all, then be talked down to.

I came here, in the first place, because I thought I could help someone, who sounded soo upset and tired of not getting anywhere, I know how it feels to see your computer totally crash and not be able to do anything about it!!That is why I came to this forum, I stayed because of the helpful friendly people.

The reason I am here now, WAS to post the screen shots you said you wanted, S_L, but, maybe it is better to leave well enough alone.

Thank you all for your helpful, if somewhat daunting, advice!

Marja8)

Just wanted to add that I am gleefully enjoying total peace and quiet and cleanliness over here with ME on my PC- Trend and Panda are scanning me clean as a whistle, and the whole spyware-warrior crew (adaware, spybot, etc.) do find the regular nuisances, but they're easily 86ed.

I am involved in an Ebay auction for the Pro edition- and realized ater I friggin bid that's it not over for two more days, so looks like I'm hanging in limbo with ME til Saturday or so (can't retract the bid, cus I don't qualify for it).

But in the meantime, I am going to keep doing my homework about of alll of this. And I reiterate- thanks all of you contributors for spending the time and effort to join in with your insights on this- I never imagined so many would post! It's a great help, and I am truly grateful.... :D

GalCoolest, it is good to know you are having a peaceful day!! Glad your ME is working for you!!

Notok and all,

These are some screenshots of my Event Viewer, if you know how to post more than one, let me know!!:)

That one is what started it all for me. :)
Some of these are too big, I guess, tried to make them smaller.

I was going to try to keep them in order as they appeared, but the server had different ideas.

OK, had to cut this way down, but, it is basically a repeat of itself!

da-da-da-dada,

This looks funny cuz I didn't know how else to make it smaller.
(Quit laughing, you know who you are!)

The date was cut out and the user, not me, was put in. You can see why I thought my puter was toast, I'd never seen all this. But, Paranoid2, I will learn.:)

This is fun and all, but, isn't there a way to shrink the rest and you can zoom them bigger or something like that? Notok? Any ideas??

SORRY!!!

Someone PM'd me to ask if I was wanting help with all this!

NO!! Thank you!!

I have the help, this was suggested to keep anyone else from having a meltdown if they see all this. It is not an Uber Trojan or something, it is a conflict with SP2.

Paranoid2000 explains it very well, with links in this thread, Here.

Read it!! It will save you alot of aggravation and needless worry!

Marja8)

-{ Quote: "
Still_Longhorn, I don't know you, can't understand your "frustration"? Some of us would rather not talk at all, then be talked down to.

I came here, in the first place, because I thought I could help someone, who sounded soo upset and tired of not getting anywhere, I know how it feels to see your computer totally crash and not be able to do anything about it!!That is why I came to this forum, I stayed because of the helpful friendly people.

Marja8)" }-

You don't have to know me to google the things I've written about for verification. The frustration stems from the fact that most of the regular members in this forum tend to put more weight on the opinion of fellow long time forum members rather than on what is being said to the detriment of the newer members. This may be a most natural human tendency but it doesn't earn any brownie points as far as I am concerned.

I came to this forum (and stayed) inspite of the fact that I could probably get more face to face facts from people I know during work. As I mentioned earlier, my experience stretches back to the NCR 8500 Criterion Mainframe and that ages me. I stayed on because you discuss things (Malware) that are non-issues in some corporate set ups and I find the discussions a source of some very good ideas. But there are limits to stretching the capabilities of today's known technological capabilities. Discussing plausible scenarios is productive and I put my foot down where discussions of Santa Claus is concerned. These discussions are counter productive if they take precedence over the logical and plausible and should be discussed last. The way I posted it was:
-{ Quote: "It's easier to check for conflicts than to look for imagined spies. Rule out the conflicts then I'll join you on your spy hunt...!" }-
Perhaps it was not the best way to say it but, but believe me, it was a tongue in cheek post.

I must have browsed every thread in this forum and could have posted a single word reply to every message but chose otherwise. I have read some really sensible posts from Jr Members that are better than those of some Sr Members. Guests will always look up to the Sr Members so a point system based on 10Forward postings may someday prove to be detrimental to WSF. No offense intended. By then, we can always call WSF the Wilders Social Forum. ::)

Said counselor had filed a prima facie complaint against defendants, John Doe #1, et. al., with the appropriate Federal authorities- utilizing proper legal channels. However, due to typographical errors inadvertently included by counsel's legal staff, and although such errors were completely unbeknownest to counsel, nonetheless said filing is heretofore null, void and without legal effect.

Still_Longhorn,

Thanks for your help, I know you give it quite freely around this forum and it is appreciated.

Marja, Major Senior Newbie

-{ Quote: "Said counselor had filed a prima facie complaint against defendants, John Doe #1, et. al., with the appropriate Federal authorities- utilizing proper legal channels. However, due to typographical errors inadvertently included by counsel's legal staff, and although such errors were completely unbeknownest to counsel, nonetheless said filing is heretofore null, void and without legal effect." }-

ENOUGH! Please...

LONGHORN_____ cannot we tell thee a joke from a truth???????????

Lighten up, silly! ;)

Oh I could always tell a joke from the truth. I do that everyday at work! 10 years now....

I go to 10Forward to lighten up...

-{ Quote: "
I have read some really sensible posts from Jr Members that are better than those of some Sr Members. Guests will always look up to the Sr Members so a point system based on 10Forward postings may someday prove to be detrimental to WSF. No offense intended. By then, we can always call WSF the Wilders Social Forum. ::)" }-

Indeed, many members here though well versed in the use of lots of security software (by virtue of switching firewalls every week , scanners every month etc) don't really know much or understand much about security.

Testing security software != Expert on security

For example, Every member worth his salt here can tell you about his impressions of ZA, KFP, Outpost etc, but ask them about the basics of TCP/IP (heck even something as simple as the difference between TCP/UDP) , you draw a blank.

But at least these people have achieved some understanding of what their software does , basic security tips , superifical though the understanding may be.

Nowdays, it's even worse. I've noticed the rise of a new breed of "senior members" or even major senior members who achieve their status by virtue of posting nonsense (oops social) posts in the ten forward only. These people love to congrat each other for achieving milestones of 5oo posts, 1000 posts etc.. I'm sure you know who I'm talking about.

Sadly, based on the few responses they have made on the "real" forums, I would say they know less about computers than my 10 year old niece.

Personally, I only trust only a few names (in the expert group), and ocasionally the odd guest who seems knowledgable. Everybody else , senior member or whatever is judged solely on what they write. It's obvious many of them have no clue what they are talking about, even to one such as me.

This thread has obviously wandered too far off-topic to be rehabilitated. "Judging members," in particular, has nothing to do with the original (or second) topics, and so I'll close this thread before any sparks fly.