Hacker keeps getting in despite 3 reinstalls

Discussion in 'other security issues & news' started by Galcoolest, Nov 3, 2004.

Thread Status:
Not open for further replies.
  1. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    I apologize up front that this will be a tad lengthy, but I need to detail the mess so maybe someone can offer up ideas...

    Right after I installed SP2 from disk onto my Home Ed. XP two weeks ago, I got very badly hacked and had my system basically destroyed bit by bit by a malicious creep. Very ironic, no? cus SP2 is about security. He was hiding deep in a hidden user and lashed out when I found him trying to store his stuff on my PC and I started deleting it.

    After I wiped and reformatted, the attacker was right back at me. Then I did a low level format, and again reinstalled Home XP and SP2. Even before I got on the net (dial-up only for now since my LAN was where the destructive attacker came from), strange things started up all over again.

    My login box has runaway dots in every user I open, and I have to hit backspace a bunch of times to get the running dots to stop. Then my PC (not using the Welcome screen) asks for my passwords 3 times if I am online and logging on to use another name. It doesn't do that when
    I am offline, but the dots still take off. (Dell had no idea what to say as they came back instantly after a complete system cleansing, and they have never heard of this). Also, my keylogger snooper sees nothing, but it sures seems fishy.

    My Services settings in MMC keep changing from the "no unnecessary interactions with others" formulation suggested by many XP help sites, including Black Viper's (whose advice isn't always perfect, so I have enabled System Restore, for instance). In other words I am not disabling anything vital, so the System isn't doing this I don't think, having a meltdown or something, because of misconfiguration. The things that happen seem deliberate and sinister.

    Very distressingly, when I try to expand Component Services, the MMC shuts down instantly. No other service does this (that's the one that would tell me my computer COM+ configuration). The Administrator and System are the only two users with full control of the WMI configuration. The root console is write-protected, or so I thought. But services AND permissions keep changing. I got kicked out of seeing my own documents under one limited user. There is an "unknown user" with a numerical name showing up on my permissions lists. System restore points I set vanish.

    And like before I finally found the hacker recently, I now see duplicates of my screenames in Windows Explorer, like say mine is "User" and a new one is there "User:My Computer Name". Why is XP doing that? These new dupe names are not seen except in Explorer. The unknown guy is only in permissions.

    I ran the Microsoft Baseline Security test and it came back saying that it couldn't access my registry. A day or so after reinstall XP told me I had to reactivate again (second time in 2 days) because so much hardware had been altered. (I went and looked, and I see all sorts of drivers that are new, esp. networking ones--) is this just SP2, and if so, why didn't XP say this last time I installed SP2?

    And my main limited surfing name had its entire desktop wiped off again. And I cannot access the All Users profile, and Shared Doucments has disappeared and is now called Documents, inaccessible.

    Norton AV has had two strokes. Zone Alarm keeps asking me if I want to allow Generic Host Process to be a server (NOT!), and there are scores of hits at the wall hourly (have not set up the router yet, as it was trouble too!) And the warning about other users on the system at shutdown is back- but I cannot see one in Task Manager of course, just that SVHOST is
    ranked up enormously. There is also an unknown user in the security and applications logs, "N/A", but I cannot tell what he's doing.

    PLUS there is a bunch of software popping up in my program files that I did not install. What's Xerox? Which part of XP installs MS FrontPage??

    How could all this stuff be happening AGAIN!!? It started even before I got online!! I did a low-level format! I use Maxtor's software and it took like 3 1/2 hours. This after I had ALSO erased my system and private files with Eraser and had run the Maxtor utility to totally check every cubbyhole of my drive for integrity. Supposedly this was as healthy and clean as I could ever get this bugger. ANd I'm not on my old LAN, but AOL temporarily. I have new
    names and passwords. My firewall is tight- and shows no intrusions! I know about and religiouly use every bloody piece of recommended protection software known to man!

    Is it possible my SP2 disk has some malware on it that some nice MS techie snuck in? I'm sure they could bury code on some prints of it, the disk stamping crew wouldn't know it.... Just for the yuck of it,,,

    None of this crazy stuff happened before SP2 install 2 weeks ago. I mean, though I was hacked before when I first got XP, a wipe got rid of him. And my experience with my invader is that he is one helluva a computer expert and has great fun undoing everything I do, then locking me out of
    stuff, and finally wiping my files.

    I am dead serious! If some guy is jumping on my machine like this ---third time now- and it's ONLY after I load up the SP2 that stuff starts going downhill, and then REALLY downhill once I get online, I wonder if the SP is phoning home to someoneo_O?

    I'm upgrading soon to Pro anyway, cus I am plain fed up with Home's security, networking, and user limitations, but I would still appreciate comments. I think I'll be uninstalling SP2 off of Home damn soon though, as I never had problems until I installed it last month and want to see if they go away. I mean it's just too damn bizarre. And infuriating!
    Thanks for any comments you can make.
    Gal :(
     
    Last edited: Nov 3, 2004
  2. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Amazing! You have Zone Alarm that prevents anyone from calling home.... You are using dial up which means your connection is dynamic, yet a hacker can find you just like that? Amazing!

    IMO the two conditions above rule out hacking. Have your CMOS/BIOS checked....
     
  3. Down_Under

    Down_Under Guest

  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    From what I understand, it's easier to find you when you're on AOL (even with a dynamic IP) and a hacker can always target your specific firewall. But from what she said, the attacks came even before getting online? Any physical connections to the network? Wireless network cards?

    Having the CMOS/Bios checked is a good idea, not only on the motherboard but the video card (I've seen mention of rootkits that claim to be able to store info on your video card's bios)

    Since you are using XP Home, there's no Group Policy Editor, but you can make a lot of the same changes in the registry (http://home.covad.net/~zeiler07/gphome.html Careful!), which would be my highest recommendation.

    If you haven't already, UNINSTALL file & printer sharing (control panel > network connections: right-click on your connections and select properties, select and 'uninstall' "file and printer sharing") Also,while you're in the Control Panel, go into Internet Settings and change the "Internet Zone", "Local Intranet", and "Your Computer" to 'high'

    Some additional settings can be disabled easily with SafeXP (http://www.theorica.net/safexp.htm) including DCOM .. Widnows Worms Door Cleaner (http://www.firewallleaktester.com/wwdc.htm) is another good one, covers some different ground than SafeXP.

    ProcessGuard (http://www.diamondcs.com.au) would stop things from running without your knowing and a lot more.

    You can scan for malware using TDS-3 (same site as ProcessGuard) in safe mode, make sure to go into 'scan control' and select 'scan for clients\editservers', and of course make sure you download the latest update with it. Another one while you're on this site would be Port Explorer, see what's connecting out of your computer. You might take a look at their freeware, too.

    You might think about using a different, less popular, firewall (temporarily.)


    Prevx (http://www.prevx.com) may or may not be of help here, but it would alert you to (and prompt you to allow or deny) file activity in the windows directories and program files directories, as well as some buffer overflows.

    You would probably want to make any of these changes offline, download the files at a friend's house if you have to. You can also set up the router offline, which would probably help. While offline you should probably change to some very strong passwords.
     
    Last edited: Nov 3, 2004
  5. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Better yet, don't keep your passwords on the computer at all.
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Did you create an admin account with a complex password and did you create a regular user account for yourself?

    Don't ever use admin, except for hardware changes.

    Install XP without any network device attached (modem, network).
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    You may have a backdoor or a RAT( Remote Access Trojan ) on your computer.
    There is a backdoor on your computer that is allowing a malicious hacker to compromise your system and control it remotely. The hacker may have some sort of method to bypass all the security programs on your computer.

    Also, you state that you have Zone Alarm firewall installed on your computer. But did you configure Zone Alarm properly for optimal protection?

    Hackers can do all sorts of things to your computer, I wouldn't be surprised if your CD-ROM drive popped open on its own when you did not touch it.

    Also, you state that you installed SP2, is your copy of SP2 genuine? Pirated software should not be installed.
     
    Last edited: Nov 3, 2004
  8. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    can you go into safe mode and scan your system with tds and ewido?

    also for this beast I think norton is too light (not on resources but on sigs and detection)

    you find a copy of ewido here:

    http://www.ewido.net/en/

    the copy of tds Notok has given you.

    to be honest it is the second time I see this with someone and that in a month time. creepy, and dangerous damn damn damn...

    if it really is on your vga card or in your bios mem then I think the only thing you can do is.... .... purchase a new mobo but this I am not sure.
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    If this is the case the BIOS can probably be re-flashed, but if you aren't 100% sure of what you're doing it's best to have a pro do it for you.
     
  10. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    It is very difficult to "stalk" a dynamic IP on the net, much more hack the same system three times after being formatted.
    IMO there are two types of people who do these things: Hackers & Script kiddies. The former are probably more skillful but need the proper motivation or incentive to want to hack into any system. (I do not see why any skilled hacker would want to break into a newly formatted HDD.)
    The more probable type would be the script kiddie, a creature of opportunity that relies more on available scripts and apps that assist him in his endeavor. Being less skillful than the hacker, he surfs the net looking for opportunities and vulnerabilities by scanning entire subnets in the hope that an easy target pops up. The tools for these are readily available. In fact, there is one very popular app among script kiddies that searches for vulnerable systems and allows them to map the victims' HDDs into their own. (For you in the know, the app's name starts with an "L" and the latest version is v2.1.) All it really takes is to use a super scanner like Asm* to find Net-bios connections and then run "L"v.2.1 and your C:\ is mine. (No kidding!)
    Now, given the above scenarios, what are the chances of finding the same system 3 times? IMO it has to be the CMOS/BIOS...
     
  11. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    This person is very po'ed that I deleted all of his files he was hiding on my PC- so he's after me for sure.

    I flashed my bios, hoping that will make a difference.


    We'll see. :doubt:
     
  12. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Oh... OK....
     
  13. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    I think it's over with now! All the craziness! Since I flashed the Bios and ran sfc.exe and installed some of those monitoring tools you all suggested (mine weren't up to snuff, I guess), I have had pretty much no problems at all! No one is knocking at the door (I got my DSL and router re-hooked up), my registry is quiet, and everything's darn cool again!

    Yes, I am now convinced this WAS a BIOS embedded trojan that was screwing up my PC and somehow allowing the creep bothering me to get in.

    Thanks guys! I'm still "turning Pro" soon, though, because I am plain fed up with Home's limitations overall.... :D
     
  14. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
  15. jame232r

    jame232r Guest

    LOL, yet another one of those "superhacker broke into my computer despite a zillion precautions and a zillion methods of removal" stories.

    I suppose it's one of those ultrarare bios or even microcode malware that you hear in rumours

    No chance it's just user misindentification of a simple worm?
     
  16. niche99

    niche99 Guest

    "There is an "unknown user" with a numerical name"

    Partition a drive so that you have c:, d:, e: etc drives. Then install WinXP onto the c: drive. Put some files onto d: or e:. Now reformat only the c: drive and reinstall WinXP to the c: drive. Files on the d: and e: drives will now belong to a user from the previous installation of WinXP and will be identified by an SID number (long string of numbers which uniquely identifies a user). Reinstalling after a format can cause all sorts of user id conflicts on your drive and in the registry if you don't know what you're doing especially with simple file sharing disabled.

    niche99
     
  17. I too read this thread and concluded this could all be explained as "symtoms" of certain facets of XP behaviour.That is with the exception of the above,highlighted comment.

    What kind of files were they?

    Where were they hidden?

    Do you know a guy called Swami?He's a bit of a legend on the 'net.You should read his account of "The World's Worst Trojan".It's the stuff nightmares are made of...unless you have a best mate who has worked in computer programming all his life and can point catagorically to all the areas the tale falls flat.

    Hope all is well with your computer now,anyway.Why not learn an alternative operating system?
    Just to safeguard yourself?That way,when you get sick of all the exploits,and conclude Windows is no longer viable,the transistion wont be so daunting,if you have already familiarised yourself with GNU/Linux. Or Mac if you don't object to a complete hardware-overhaul.
     
  18. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    Guys! When you catch the culprit that survived a BIOS flash, 3 reformats and homed in on a dynamic IP, please call it "HOUDINI...."
     
  19. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    The attack ceased when I flashed the BIOS- apparently, code was hidden as a rootkit way down there, as suggested by some of you on here. It did NOT survive the flash. I quote some stuff from Process Guard's Help section- sure wish I had had PC B4 all of this nonsense!!!

    3. Block Rootkit/Driver/Service Installation
    This option protects you again unauthorized programs loading drivers and services on your system. A new breed of software has emerged which are commonly called Rootkits. These Rootkits are extremely dangerous since they hide themselves fully from the operating system and most of the time you will never be able to notice it is there. Rootkits are even a danger to ProcessGuard so you should have this option enabled.
    If this option is enabled and an application you use wants to install a driver or a service it will be logged so you can see this. You can then determine if you want to give that application the ability to install drivers or services. A lot of security programs require the ability to install drivers and services, however be warned that giving unknown or non trusted applications the ability to install drivers and services can allow dangerous rootkits to be installed.


    What is a kernel-mode driver?
    Put simply, under Windows NT-based systems (including Windows 2000, Windows XP, and Windows 2003) a kernel-mode device driver is a 32-bit modular component that runs at a privileged level (known as Ring 0 to those familiar with Intel hardware) on the computer's CPU. As such, drivers run as trusted components of the kernel, virtually becoming a part of the operating system itself. See the Definitions page for a more detailed description.

    Kernel & User modes
    A Pentium microprocessor has four privilege levels, also known as rings, that control such things as memory access and access to certain sensitive CPU instructions (such as those related to security). Every thread executes at one of these privilege levels. Ring 0 is the most privileged level, with complete access to all memory and CPU instructions. Ring 3 is the least privileged level.

    In order to maintain compatibility with non-Intel systems, the Windows operating systems support only two levels of privilege - Ring 0 and Ring 3. When a thread is running in Ring 0, it is said to be in kernel mode. When a thread is running in Ring 3, it is said to be in user mode. Low-level operating system code executes in kernel mode, whereas, in general, user application code runs in user mode.

    Note that an application thread will switch from user mode to kernel mode when making certain API function calls that require a higher privilege level, such as those that involve accessing files or performing graphics-related functions. However, when the kernel mode code is completed, the user thread is automatically switched back to user mode. This prevents the programmer from being able to write instructions that run in kernel mode--the programmer can call only system functions that run in kernel mode.

    The protection from Process Guard comes from its driver, which runs in kernel mode.


    protects against all known "process based" modification attacks.


    1. Protect Physical Memory
    Applications that run with administrator privileges can actually access the physical memory on your computer. Every program you run is handled by Windows using "Virtual Memory" techniques which help to protect applications from one another. If an application can view or change the actual physical memory, then it has the possibility to change anything at all on the system which is in the memory. Obviously this is a major security hole which if not protected against, makes every single protection mechanism on your system vulnerable to attack.

    ProcessGuard however provides protection against all these physical memory attacks by restricting applications access to it. If some application you need to use actually requires physical memory access (a few security programs and games do), you can allow that specific application to access physical memory. This means you get the full advantage of protecting your system from this serious threat, whilst still using the programs you currently use.

    2. Block Global Hooks
    Global Hooks are used to add extra functionality to the operating system. Some of this functionality is good and some of it is bad. For instance with a Global Hook a program can record all your keystrokes and mouse movements. Malicious software uses this to steal bank passwords and pin numbers, as well as to intercept emails and many other things. By blocking global hooks you stop the malicious software from being able to do these things, however many normal programs use global hooks so don't just assume every global hook is a bad thing.

    If this option is enabled and an application you use requires global hooks then ProcessGuard will alert you. This will allow you to give that program the ability to install Global Hooks if you desire. Some applications are worse than others at handling not being able to install their global hook, so when in doubt you should always give trusted programs the ability to install Global Hooks. ..................
    [3. is above]

    4. Block Registry DLL Injection
    Programs can add their DLL to the list which is stored in this registry key. Once they have added their DLL it will be loaded by 95% of the programs you run on your computer. This leads to a possible attack whereby malicious software can put their DLL into a trusted program and do unwanted things. You should have this option enabled all the time since mostly malicious software uses it. Some spyware such as CoolWebSearch (CWS) use this technique to make it extremely hard to remove from your system.
     
  20. still_longhorn

    still_longhorn Registered Member

    Joined:
    Oct 3, 2004
    Posts:
    256
    ENOUGH! HOUDINI is dead! It can't be done yet!
     
  21. james232r

    james232r Guest

    Thinks for teaching us about kernal based rootkits :)

    But a kernal based rookit does not = bios or microcode malware.
     
  22. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    HELPPPP Hacker keeps getting in despite 3 reinstalls

    Okay Guys---

    Now you guys TELL ME what the HECK is going on. I am obviously a newbie of sorts (but not THAT new) to computing and all of this crazy extreme malware stuff (having been pretty protected and educated overall for many moons without much hassle)---- MY F***IN system went south again!!!
    Right after I thought I had the thing licked, and happily said so here, the same crap started happening- new drivers getting installed, me being locked out of services like Components, all my MMc and WMI setups getting altered, files and programs appearing (not in the open, but in deep hidden admin shares), etc. etc. (which can be found by looking at modifications in SEARCH, thank goodness).

    And I have just about had it because I did YET ANOTHER full low format with Maxtor software, flash of the BIOS, install of Process Guard, Prevx, and umpteen other spyware and malware tools, a properly configured firewall, an up-to-date virus program BEFORE I got on the net- and BOOM- back in the trenches I was, fighting this unknown and undiscoverable (by normal means ) code. So now I am at six reinstalls.

    I decided to hell with XP right now until I find out how to deal with this, where it is hiding, etc., so I am on ME now (my old OS) and only so I can research this animal further, knowing full well that this is a way temporary situation. And all the same crap is happening to me now on ME as well.

    My confusion is about where this malware is hiding and what triggers it. It obviously isn't simply in the BIOS per se, cus it keeps reappearing despite redoing of that. And I can't tell if it is remanifesting when I jump online or when I import an old file from disk-- dumb me, I wasn't distinguishing or noting those steps properly.

    I can say, however, that since I loaded ME I have not imported a dang file from disk and it's showing up, meaning the alterations mentioned above are going down still, so I have to believe it is the getting online business that somehow spurs its renaissance. Last night I went four hours with no problems, after my reinstall which followed my last (overly hopeful ) post here---and then right at a specific time (which I tend to think was when I got online) the monkey business started again. But I'm not sure.

    The events, application and security logs show repeated infiltrations by "N/A" user shutting down and reconfiguring stuff- to wit, turning on remote access, UPnP, Web Client, etc. and the appearance of myriad files and tracks on the internet to sites I have never heard of (hacker sites, don't ya know)...on and on and on. Right at 9:30 or so, and my install was at 5:40pm.

    Please guys, I have been trying to research this beast on the net and am running in circles it seems. I cannot eradicate this damn thing because I cannot find another situation quite like it. SHould I uninstall all my drivers and cards (video, audio, etc.) or what? Is every file of whatever type I have saved off site infected and causing the reinfection, and if so, can they be cleaned? I mean how do you trace this kind of thingo_O How do beat it?

    I do have some intersting IP info on N/A which I plan to investigate right now, but I wanted to post this PDQ too to elicit your expert help if you'll grant it.

    I have read elsewhere that there is no solution. That even the experts cannot figure out how these newest rootkits or worms or whatever they are operate- their stealth and caginess seems to elude even the brightest safe crackers.

    What should I doo_O??

    And please boys, don't belittle or tease or make snide comments. This is serious sh*t to me- my life's work may be polluted now.
    HELP!!!!!! :(
     
  23. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Galcoolest, I have sent you a private message offering my services...

    come on guy's she's female and in trouble, I have to help... :rolleyes:
     
  24. Galcoolest

    Galcoolest Registered Member

    Joined:
    Jun 18, 2004
    Posts:
    229
    Location:
    San Francisco
    Sorry folks- can't diddle at this moment with proper quoting, cus I don't know how!- but here are some excerpts from the trojan section about these "super trojans" ---and my comments right after....
    8888888888888888888888888888888888888888888888888888888888888888


    From: A guy at Experts Exchange (posted by Starrob)

    So I need a new BIOS chip, probably.
    Only thing is that I already bought a new mainboard, memory, CD ROM, hard drive, video card and it still came back. So I don't wanna waste the money unless the box would be guaranteed completely clean. Plus, this means that initially, whatever kicked it all off had to be stored somehow on an original PnP component that has a driver that I didn't replace. These are:

    3.5 Floppy
    ThermalTake 9 Fan
    Keyboard
    Mouse

    BTW...did an install of XP Pro from a new factory OEM CD
    and this did not help.

    Oh...once installed, it seems to create a virtual duplicate drive for your floppy and CD ROM drives. I can see this because I can't connect more than one floppy drive when I should be able to connect two, and no slave CD/DVD drives are allowed...to do so means blue screen.
    Probably explains why FDisk and all the other dos utils don't work, becuase the version on the disk is not the version that's actually running. Rather, the one on the virtual disk is.

    On the plus side, I did figure out how to disable it before it installed all it's nastiness, by going in thru Recovery Console after a fresh install and getting rid of certain things that should not be there. However, who knows if this would keep someone out if I connected it to the net again?

    Way too weird.
    Maybe it isn't a hacker at all, but Microsoft's little monitoring tools in play. But there's so much I experienced while living with this individual I suspect that that's much harder for me to believe than anyone who reads this.

    So still unsure what to do to clean my box completely. A co-worker suggested I write a C++ program to write direectly to ROM...just don't have the time to do this at the moment.

    P.S. ewall..u want the script? I have it, but trust me, you probably don't want it.

    See, this is the problem with Windows. As they keep moving us farther and farther away from the base level, fewer folks know what to do when someone who makes it their purpose to know how to exploit the cracks tunnels down into them.
    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
    From Paranoid 2000:

    BIOSes are system-specific. While trashing a BIOS is relatively straight-forward, writing a piece of malware that can alter a BIOS to replicate itself while not affecting other BIOS functions would be a true masterpiece. It would either have to be very system-specific (e.g. targetting Dell Inspiron laptops only - greatly limiting its spread) or include the ability to perform a comprehensive analysis of BIOS code to identify a good insertion point.

    The example given is ridiculous - not only does this "super trojan" alter drive interfaces, but it also includes a copy of Linux, can overwrite read-only CD-ROMs and presumably fouls up the local coffee machine too. The only remotely plausible explanation is that this PC is being continually re-infected by another system on their LAN.

    Malware can survive a reformat by creating a hidden disk partition and installing itself there - but FDISK should detect it, and allow you to remove it.

    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
    from Controler:

    think if you look back on my old posting you will see me almost always mentioning for you to reflash your BIOS, FDISK, then reformat.
    Some paople can't just wipe their hard drives for critical info but they can still reflash their BIOS.
    I have seen a few hard drives that would not work unless they were low level
    formated first, then formated normaly.
    The newest thing lingering on the net Blaze is the ability of nasties to hide on the Video card memory I believe.

    On a side note after reading the post at the link Starob posted. I wonder why the dude didn't just pull the little itty bitty MOBO battery out for a while.
    Then the only data left in his BIOS should have been factory non reflashable data not including any rootkit. Yes he would have to reset all his BIOS settings again but that is far cheaper thejn buying a new PC.
    &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&


    From : Starrob
    If this thing was possible, I am quite sure that it would be talked about a lot more on the blackhat sites but it appears the script kiddies have more mundane concerns like how to keep their trojans hidden from existing scanners and how to keep from being detected by firewalls.

    I am quite certain that there are extremely bright people out there that might have built a super-trojan (possibly different governmens?) but I am relatively sure that those trojans capabilities are far less than the "super-trojan" in the article.

    Anyway...I doubt the super-trojan could defeat PG v3 as it stands right now. I think PG is a BIG problem for those trying to install trojans on a computer. Nothing is 100% but I believe PG would be extremely difficult for a large percentage of the computer gurus to beat.

    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    First off guys--- this IS being talked about all over the place- and I am in such a bloody rush right now, I cannot go hunt down links, my apologies (the links were on my last XP installation, the saved files for which I don't want to access right now...)

    Secondly, even doing a manufacturer-supplied low level reformat (Maxtor made my mobo and I used Powermax) with fdisk and repartitioning in new ways did ZILCH to get rid of this.

    Third-drives and drivers and components of all varieties seem to come and go so mysteriously that I cannot keep track of what is supposed to be there and what is bogus- duplicates abound, and it's practically impossible for someone like me to weed the real from the imposters.

    Fourth, I may not be a pro but I am no idiot, and I have never seen or experienced this kind of poisoning in my 10 years of "consumer computing". It's outrageous. What you guys have said about "c'mon, give me a break, can't happen" is outdated, hate to tell ya. IT CAN AND IS HAPPENING. Get out your slingshots, but I am witnessing it. :mad:
     
  25. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hi Galcoolest

    The best advise i could give you is to post in the Processguard forum here at Wilders (since you are a costumer), they are expert's in the field of trojan/rootkit's and would able to assist you much better than most other would be able to. I hope you find the course of this. :)

    Regards
     
Loading...
Thread Status:
Not open for further replies.