Hacker keeps getting in despite 3 reinstalls

She's in a rush and she wrote all that. One fast typer.

Jimbob

 

it's called "copy/paste"

 

But that doesn't mean she can't type fast

anyway, glad to have pg3 that is for sure. I am wondering what jason would say about it...


If this is was on my machine I would get a third leg from it I guess, a long third leg...from the frustration it would give me...

 

What I clearly meant was that a SUPER HACKER finding you three times in the net after three reformats, a dynamic IP and a firewall that filters outbound packets was a statistical improbability.

But if you say that you are having one of those really rare hardware/software conflicts that are manifested in the ways you stated, then this perhaps is a more credible premise that a lot of members would love to dissect to death IMO.
In fact, these conflicts have become more and more common place and are even caused by utilities and apps that were installed to help the user.... The processes have evolved to become so complex that no one knows for sure what some specific files are for or if they can create conflicts within the system.

IMO on the average, a system can have 30-40 processes running in the background (excluding infections ). Add to this apps that protect the registry plus apps that protect the protector and so forth and so on... then you begin to realize the potential for chaos. When a member gives an opinion that his/her experience with a certain app was favorable or safe, it does not in any way give that app a 100% fail-safe tag for the simple reason that there are several factors that may still have to be encountered: Configuration Errors, Failure to Handle Exceptional Conditions, Design Errors, Boundary Condition Errors, Input Validation Errors,etc.

Even conflicts arising from "straight from the box installations" is common place... What I am saying is there can be several logical explanations to your problem but a Super Hacker is not one of them.

 

I agree, this is starting to sound like an problem for truely expert help.

BTW, galcoolest, are you using the paid version of PG? It's only the paid program that will stop drivers from installing.
And for godssake, get OFF ME.. it's MUCH easier for these things to directly affect your hardware while running Windows 9x/Me. Getting XP Pro would defintely help in being able to set restrictions to curb some of these behaviors.

A couple things that we need to know:
Are you physically disconnected from any networking while reformatting? Remove the cables until everything is completely done, if you have any wireless adaptors then pull them out until you get this resolved.

Are you getting any kind of alerts from Prevx or ProcessGuard before this stuff happens, or does stuff just start to happen? As asked above, are you using PG free or paid?

Have you scanned with TDS-3 in safe mode? Did it turn up anything?

I'm almost starting to wonder if this isn't a physical threat. Do you lock your desktop when you leave the computer, etc? This is another area that XP Pro will help, you can turn on auditing to get logs of when there are logons and other changes related to security.

If you are worried that it might be something hiding out on your video card, one thing you can do is hit up your local thrift stores, they will often times have crappy video cards for practically nothing.

 

Still_longhorn: Keep in mind that on AOL all they really need is the username.. they have utils that will wait until a username pops up and report the new IP, sometimes initiating the attack automatically. I've actually heard stories from the other end of this type of attack before..

 

to gallcoolest: do you have any brothers? or some roommate working on your puter? is this you own puter? I stand by Notok, saying a limited user account is one of the safest things to do for surfing the web while your power account is only for installing things and ONLY then uncheck block drivers/rootkits/services if you have the full app.

you can try ssm which is free and gives a lot of security.


bye

 

Another utility for the next time you reformat is nLite (http://nuhi.msfn.org/), this will let you remove some of the vulnerable components of Windows while creating a new install disk.. services, etc, can't be turned on if they aren't there to begin with.

Also, don't install any instant messengers if you can avoid it.

 

May I suggest having Shields and Ports tested from this site - it may answer some questions - https://grc.com/x/ne.dll?bh0bkyd2

 

Thanks for the replies guys-

The deal is that of course I unplug every bloody thing before I do the wipes and reformats, have no wireless anything, and have been using PG paid version (for a whole day!) And yes both Prevx and PG went bananas with me, but it was always in conjunction with Windows or Outpost or other updates, as I wasn't grabbing other stuff off the net, so I thought the permissions I gave were appropriate (NOT!). ANd I have run every darn bit in Safe Mode, done netstats, cacls, shut down registry changes, you name it. Nothing works,

This is my concern actually: I reloaded from disk (cds) Prevx, Outpost, PG, RegWatcher, Eraser, SafeXp, CwShredder, HijackThis, Spybot, AdAware, Ie-SpyAd...but didn't run them all, just got around to installing Prevx and PG. ME meeded 21 updates, which wouldn't download or install at first, until I tweaked the sentries just mentioned. WHatever. I decided to go with ME for a day in the hopes that the damn bug was embedded in WinXP and I could at least know that much.

No such luck. The same crazy stuff is happening on ME- though, of course, I have no way of documenting it like in XP--- it's evident though from having created a secondary user here on ME that something is dicking with the PC, cus when I try to log out it hangs bigtime, etc. ANd drivers I don't recognize are getting installed surreptitiously (different ones, but not ones I saw before), and strange software is showing up again- interestingly, without any notification from PG or Prevx!

I need to clarify: there isn't a hacker I can personify any more- my initial run in with all of this included an actual person who had his files (photos, music, code packs) on my PC- and as some of you know, personally destroyed my PC before my eyes when he found out the I HAD FOUND OUT about him hiding on my machine, and had deleted his files. ( Mind you, I saved a bunch of them, even though many were encrypted, and let him know the Feds were on it...).

No now I am dealing strictly with trojan(?) malware- there isn't a physical., personal intrusion that I can see. Just crazy launching of code (scripts) which you can see by the times logged as happening simultaneously, within a minute, and no human could do that- change all your WMI and MMc stuff instantly. No it's a bundle of software that's being released.

I cannot, though, figure out if it's triggered by something the Administrator does (in Home, he's the only one who can tighten the bolts), or reinstallation of say, Prevx or another program from disk, or the act of getting back on the Verizon Lan (cus this whole business has been connected to the LAN---the hacker was masquerading as local and then network service)- like is there some corrupt asshole who works for Verizon doing this I am not on AOL now (was there for a short bit last night out of frustration)- and have a Linksys router, properly configured, with my DSL.

As I am no techie, but also no fool, I have tried to suss out the source as best I can and am getting nowhere. Of course I know ME is insecure, but I don't care, cus this is a purely diagnostic install-to see if the **** is going on cross-OS- and it is, I believe.

I have been looing thru googling for insights, and have seen sporadic recent mentions of this crazy sort of irradicable nuisance (an example of which I posted above). I personally believe there IS SOME SORT of super nasty code being dumped around on certain machines, esp. one like mine: a typical, consumer, bonehead, mediocre Dell- the owners of which, in general, have no clue about this sort of thing and make perfect targets for stoolie machines in the schemes of malfeasants.

What I am trying to ascertain, esp. after reading that folks who have so much more knowledge than me are considering making their PCs garden art or door stops in the face of this stuff, is whether someone, some resource of geekabrains, has any clue how to 1) eradicate the monster and 2)clean what it's polluted? Can you all even send me to a (yikes) "professional" outfit ($$) that could evaluate the cost/benefit analysis of this mess? (Screw the PC- I want my files cleaned!)

Thanks my friends. I am not a beginner on the security stuff. This is way odd. This is SCARY ODD.

 

Not doubting you, galcoolest, just wanting to see what's been done.

At this point I would definitely say it's time for both expert advice and some head clearing. Since you've bought PG you are definitely entiteled to some of the best support you can get

1) Get DCS' advice on the matter

2) Print out the page with the policy registry changes (you can disallow things like allowing actions to be performed with alternate credentials, etc.. I know there's a lot of stuff you don't care about on that page, but go over it with a fine tooth comb) .. http://home.covad.net/~zeiler07/gphome.html

3) Download the WWDC and every other piece of software you can think of and burn them all to disk. Even if you don't think you'll use everything you download, you can at least have it on hand. You might also think about something like The Ultimate Boot CD for some diagnostic purposes.. http://www.ultimatebootcd.com/
If you can download and burn these from someone else's computer, all the better.

4) Most importantly: clear your head and come back to it with a clear strategy.. print everything out, turn the computer off for a few days until you can think about it without getting panicked or angry. I just had a weekend filled with frustration from what seemed to be an impossible problem, after spending several hours pounding my head I reformatted and the problem didn't go away. After forcing myself to get away from it, reading some Terry Pratchett (fantasy parody writer, for those that don't know, impossible to read without at least cracking a grin), etc, I came back and solved the issue in 2 mins flat. I know your problem isn't going to be that easy, but clearing your head is going to be the most critical aspect to dealing with this.

If you absolutely cant turn the computer off, you might consider getting a copy of Knoppix, or another LiveCD Linux distro, to use for a little while, and unplugging the power to the harddrive while you use it. That would at least let you get online to browse and such until you can sort things out. Getting away from the computer all together is my recommendation, however.

 

Galcoolest,

Based on the information you have supplied so far, I would make the following observations:

• A full format and Windows re-install should wipe almost all malware. But how are you formatting? The best method of wiping your system is to either boot your system with a (write-protected!) floppy Windows recovery disk and type format c: at the A:> prompt or to use the Windows Recovery Console (see Description of the Windows XP Recovery Console for instructions) to do a format (if you choose this route, try a fixmbr also to overwrite your boot partition in case that has been altered). Any other hard disks on your system should either be disconnected or formatted also (if you have overlooked these previously, they could have caused a reinfection).
• A fresh Windows install is highly vulnerable to being compromised. It is therefore critical to ensure (at the least) that a firewall is installed and configured before connecting to the Internet. You will not have time to download critical Windows updates before your system gets compromised. Now this is a catch-22, having to have downloaded software before being to connect to the Internet, but in your case I would suggest (if you have not already done so) downloading your preferred firewall, antivirus/antitrojan scanners and other security software (including a replacement for Internet Explorer - like Opera or Firefox) using a friend's PC, a work PC or even a cybercafé and burning a copy to CD (assuming there is a CD-writer available). When you have copied the software onto CD, close the disc (this should be an option in the CD-writing software) to prevent anything further from being written to it. This should ensure the CD copies are and remain virus-free (given your previous posts, it would be safer to assume that any current CD-ROM copies you have are potentially infected).
• Are you installing using a Windows CD, a manufacturer-supplied "recovery disk" CD or a recovery partition on your hard drive? If from CD, they should be malware-free but if from a recovery partition then this could well have been compromised. In this case, beg/borrow/steal a Windows CD from somewhere.
• Once Windows is installed, configure the firewall to only allow essential applications (email, web browser) access - nothing else (if you are using Outpost, then consider setting it up as detailed in A Guide to Producing a Secure Configuration for Outpost to ensure that its settings are locked down hard). Set up your other security applications. Only when you are sure that everything is configured, should you attempt an Internet connection.

 

Thanks for all your input, folks. First off, I have been aware of and utilizing GRC's many cool tests for years- I pass as "true stealth' and "that's unusual for a Win OS machine" is always added- (manually configure ports, etc.). And I am a single, no kids gal with not a soul-ever- getting near my machine, so physical intrusion is impossible. (I'm so paranoid, that even though I live alone with two cats, I have my Bios and system locked by passwords, JUST in case some neighborhood kid should EVER wander up to my office, etc.) LOL.
I know all about the recommended strategies- the pack of software one should use (mentioned before), the ups and downs of the various browsers (duh the DOWNS of the big one, but I had so much much trouble with Firefox and Netscape that I settled for MyIE2[Maxthon] locked down tight])--the crummy AVs and the worthless firewalls, etc.

That's why I am so incensed. I haven't had a speck of trouble for months- I don't even get but 2 spam mails a week- and then right after , a day after, I finally got coerced into installing SP2 (which I was not keen on, let me tell you), this nonsense started. ANd had I not freaked and deleted the original intruder's files, I doubt the rest of this would have ensued.

I really ticked him off- I erased literally hundreds of files, and the unerasable (encrypted) config files I simply messed with to the best of my ability-trying renaming, cutting, pasting, etc. etc. I messed his scene up for sure, having found him luckily when he was offline, (with time to offload my new stuff cautionarlily) and he proceeded to burn me to the ground after that- step by horrific step, I watched my PC fry.

So I threatened him with the Feds, and I thought he was gone. But then, for the past two weeks or so, I have been stuck with this "virtual" monster, executing code that wipes my authority, my access, my files, etc. And the rest you know--- I can't seem to get rid of it!

I appreciate all of your suggestions, but trust me, I have been very conscientious and with a high degree of education on security- no matter, unfortunately. There isn't squat that is keeping this creepy infiltration from manifesting- none of my soldiers can see it or stop it- it's scarier than all get go.

Hearing some say it may warrant chucking the metal box into the garbage isn't that surprising to me now- it's looking nearly hopeless.

BUT: I am a civil rights attorney-really-and we tend to be damn hard core combatants. I won't go down without a fight! So my brave mercenaries, let's get this enemy of freedom and peace! Surely somehow our heads put together can vanquish this infidel!
\

 

Aaahhh....! The plot thickens.... From Super hacker to the conspiracy theory.... for that to happen, AOL has to be part of the hacker's data base...

C'mon guys! Let's stick to conflicts and incompatibilities...!

BTW, PG prevents installation of new processes regardless if its the paid or free version. The difference is that the free version can only protect one application.

The only way to resolve this is to eliminate all the speculations and guesswork by starting with DCS ASViewer:

galcoolest, please post your asviewer logs (with your permission mod....) so we can see what has been loaded into your PC at start up....

 

ASviewer: http://www.diamondcs.com.au/index.php?page=asviewer

 

Next: Please download the evaluation copy of TUT fromhttp://www.answersthatwork.com/TUT_pages/TUT_information.htm

These cute app will point out conflicts & potential conflict areas in your system....

 

I cannot stand these old IE browsers! I go to look for something, and boom- minutes of typing is poof!!!

So- rather than my long answers to you all---- Quickly, I reformatted the first time by doing the debug routine (Dell fed me it), fdisk, repartition--- no go, animal was back. SO Dell had no other ideas, and I figured out thanks to our pals at Google (is that the sh*t or what? Gosh I woulda killed for it in school!) that I needed my hard drive manufacturer's software, and got the Maxtor offerings- did low level (3 hour) formats, repartitioned in lots of different ways over the course of SIX reinstalls - having run Eraser first, mind you...----and STILL THIS IS ON MY PC!!!!

And now it's there even in ME!!!!!!!!!
C'mon folks, I am not imagining this. 666 is clearly written on this one. I've never seen anything like it. Chucking the damn metal box is looking like a good idea, I must say.

 

If you have anything suspicious in your start up log, someone in this forum will find it... Then we can start discussing solutions....

 

You're a lawyer galcoolest! At least give us the logs (proof) to work on. Hearsay won't stand in court. 50 posts about Asmodeus being in your computer won't make it a reality...! Post the logs!

 

If u are dealing with a hacker - U might like to do a little test of ur ports and shields to find out how ur computer is being accessed.

https://grc.com/x/ne.dll?bh0bkyd2

Results of each tests will be given to u online.

 

Well the deal is : I am on ME right now, and beginning to think I was hyperventilating about the Beast being on here too. However I shall show what's going off in start-up (nothing unusual) but want you all to look at the drivers lists- sure seems like way more drivers than I recall in ME.

I'm really beginning to think my best bet is to just order the Pro upgrade online now (was going to wait til I got back to CA in a few weeks---leaving hellish FLA for the coolest spot in the USA, where I'm from, San Fran [NEVER call it FRISCO!]. Could snag it cheap there- Cheap as in, who me? I'd never do that!) But I have been screaming bloody murder about HOME since the day I got it- what a lousy configuration it is, a total pain. I'll bite having to pad Bill's pockets again....

So I'm thinking, until Pro gets here in a couple of days, I'll just hang with ME cus nothing obvious is wrong and even if something is, I wouldn't know it really, and what I don't know can't hurt me, right? LOL. Kind of like it was advised -- I'll take a breather. Just hang out on the terrace here- let the infuriations of the XP mess go by the wayside for a while. Ignore the car horns and smog. Contemplate the shrubbery.

When I reload XP, it will be after another complete low level format and BIOS flash and OF COURSE, as always, I will configure all the security before daring to get online. I am gearing up with all the downloads you guys suggested and fresh versions of my old crew, too. I do have the SP2 disk, which I gotta load, damn it, but them's the breaks . I have had serious problems with it since day one, not this turmoil only, but super rigidity of the system, software conflicts and meltdowns, etc.

Actually I have all the HOME updates from June-SP2 on disk, but I have simply had it with HOME and feel the added functionality, configurability and security of Pro will be a huge relief. I mean, in HOME it's black or white only- no inbetween usability- and ltds [which I have surfed under for safety- ha ha ha, lotta good all that cautionary behavior did for me after all ] can't even download software updates!!!! It sucks all around. I'm not gonna reload HOME. Screw it.

So, my point is that I'm asking you all to wait til I get Pro and then we'll see what happens, ok? I am consciously putting nothing on this PC now or planning on saving anything - I'll just forward things to my web email if I need to save em (Links, emails, whatever). I agree I need a vacation from the nightmare of being naked and powerless on my own PC as is the case under HOME-- loitering on ME is pleasantly uneventful!

Thanks everyone for yor thoughtful comments and suggestions. Will send along the start -up crud from ME asap. But my Home burned down as far as I'm concerned.
PS: Quick question-- Is the Pro upgrade like the Home upgrade in that you can upgrade or CHOOSE TO DO A FRESH INSTALL? Sure hope so!!!
PPS. I have had exactly 4 hits on my firewall in the past four hours....

 

My infiltration was probably through the Linksys BEFSR41-which was disasterously flawed and not patched by them until August. Many folks on LANs were basically open season for creeps who knew of the vulnersability. My firewall never saw a thing. I also have ZA Pro right this second (Outpost was on XP, but ZA is fine for now over here on ME, for today, my being too lazy to configure Outpost tonight).

 

I am with you on this Still_Longhorn

It is difficult for me to believe in super-trojan theories. If I had something this complex was on my computer I would not be in any forums looking for the answer. I would be emailing people like KAV, NOD, Jason and Gavin at DCS, Ewido, A2, Trojanhunter, BoClean and even Nautilus and let them all have a look at it.

I would go straight to the experts. The people in these forums are smart but most do not have as much experience as the people that are making a living at this writing software to counter these threats. It is doubtful a solution to something this complex would be found in this forum.

I suggest going to the experts and coming back with their answers to what they think is wrong. I am sure others would like to know the resolution to this problem.


Starrob

 

OK. Since the start up logs cannot be posted for everyone's benefit, I will nevertheless stick out my neck by saying: There is no Super Trojan or Super Hacker involved here! It goes against my grain to even speculate without the start up logs as basis but here IMO, are the pertinent facts:

1. These all started after an upgrade to SP2 for Win XP Home;
2. Super Hacker ruled out because of the statistical impossibility of a hacker finding the same HDD/PC that has undergone three reformats, a BIOS flash and a change in ISP provider, plus a FW that prevents anyone from calling home;
3. Unknown drivers being loaded inspite of PG; (IMO, these unknown drivers should read as corrupted/unstable drivers brought about by application conflicts)

#1 tells me when
#2 tells me how and where (conflict area)
#3 tells me why galcoolest's system is acting that way

The what is kind of tricky but I'll stick out my neck with a hypothesis:

I agree that an upgrade to XP Pro will eliminate the problem not because Pro is inherently better but because when one uses Pro, the default login is Admin, whereas the default for Win XP Home is "owner". IMO opinion, upgrading to SP2 using "Admin" as the default instead of "owner" (possibly used during the original installation) has created all the conflicts! LOL!

OK, all you techies, you were all taught not to argue with a hypothesis in Science 101, but to test it! LOL

I am serious! IMO it is a conflict that is causing all these and the use of a password other than the default used in the original installation of XP Home can create this Input validation error. I could be wrong but it seems more logical than the Super Hacker/Trojan theory....