Hacker keeps getting in despite 3 reinstalls

Better than the HOUDINI, ASMODEUS/666 theory I'd say! Though not as mystifying LOL!

 

At the risk of being way off base here, I have been having alot of the same problems since Sp2. I was going to PM someone about it, but, since you are here I will copy it here!

Marja

Text to follow instead!

 

Hey guys! Here is my story -

A while ago I noticed services being turned back on after I was logged off, new programs that I didn't even know what they were for!!!

There is a thread in Software and Services, "Conflicting Apps", #35, Oct.30,2004 by me, it was something I saw on the Admin Apps Event Viewer. it seemed to be a "person" saying they could cause a security event if they didn't impersonate the user's "moves".

The "person" was put in WMI to log on in the LocalSystem? I found the "name" HiPerfCooker_v1, in Google which led me to MDSN library. It is supposed to be some super counter for MS.
There were other "names" "talked about, I also found them to be MS programs.

They are programs WAY above my head, but, I thought maybe that is her problem, mine too, and a few other people on Google.

So, it sounds like conversations and sneaky stuff, but maybe because we don't have any idea what they do or are? It is irrritating that the services I want off get turned on all the time, but, I think it does have something to do with SP2, That is when my problems started. So far not major, I keep diggin around to find out stuff, but, It is all beyond my puter knowledge!!

Most of it is visible in the Event Viewer, and she said her viewer was going crazy with "un-wanted " persons loggin on to her computer. Me too, why? who knows I hope some one can find out,
Well, that is what I have found out so far, I keep looking, but, it seems clear to me it is MS and XP2, and by the way, all the people I have read about so far have Dell puters!?

LOL! It is a crazy story, but, tell me how to show you my Event Viewer logs, and you might figure it out like that!!

Well that is basically it, most of the stuff she says is bothering her is my problem too.

I found alot of it at the MDSN library, but I don't know what else to do?

Marja

 

It's not just any services, it's all the remote services, it's some kind of transfer service, "they" log on even after I log off, I am on dial-up. Just like if someone WAS using your computer along side and after you get off.

But, everything I could look up led me to that library? With what sounds like a logical sounding program, except I don't want it using my computer.

Could MS and one of it's own programs(SP2) conflict with each other? MS complains that I am logging off when other people are logged on, NO. It keeps saying I am a workstation, NO. See, like the basic prog doesn't even know what the new one is doing?

I just thought it would be someplace to start, and she isn't the only one.

Thanks for your time!

Marja

 

Are you both using OEM CDs when reformatting?

 

In the mad scramble to come up with the perfect system, we have all been guilty of installing apps that have become more and more beyond our comprehension. And powerful apps at that! Apps for this, apps for that, apps for everything including changing the color of our bathroom sinks.

As the system configuration grows more complex, we unknowingly create the very thing we've been trying to avoid... vulnerabilities. Worse, these apps have created conflicts among themselves that an estimated 65% of computer problems have been attributed to conflicting background tasks (http://www.answersthatwork.com/TUT_pages/TUT_information.htm) rather than on hardware, viruses or malware!

These problems are inevitable! (If Ad Aware finds Spybot as a threat, can you imagine the conflicts we are not aware of?) The countless problems when installing Win XP SP2 are seldom encountered during a clean installation. What does this say? Simply that third party apps can create these problems... yet these apps were installed to help us not create chaos...

This may be a bit off base but relevant nevertheless to debunk Super Hacker theories... Besides, if I were a Super Hacker, I'd go for Fort Knox instead of MP3 copies of my favorite band... LOL

 

Yep! Useless pieces of plastic too, they are missing alot of stuff! Right off hand I can't think of what, of course! But, I really had a hard time, I finally got this new hard drive, but, still OEM.

 

I never doubted that there were problems... just the reasons presented...

When causes are demystified, they somehow become less interesting.Is this why there is this insistence to pursue the Hacker/Trojan/Kill Bill theory?

Where has everyone's logic gone to? 6 X 3 may be the same as 3 X 6 but a Venetian blind is not the same as a Blind Venetian! We are looking at symptoms here... not causes. Find the cause and the solution is not far behind.

 

Here are most of the names:

A trusted logon process has registered with the LocalSecurity Authority and will be trusted to submit Logon requests: (for OTHER progs!)

Rasman
Chap
\LSASRV.dll
WDigest
Lanman
KSecDD
scecli
DCOMSCM
\kerberos.dll:Kerberos
o.dll:NTLM
Schannel
WinLogon\MSGina

Also, sometimes they just use ID#'s. 0x0.0x3E5 - 0x0.0x3E4

Hope this will keep you til tomorrow!! This is most of them I am sure!
I will gather the other progs that just run amok, then.

Thanks for your time, guys!

Marja

I am going off-line in a few, but will wait if you have questions

 

At the risk of being off, allow me to give the following as an example of potential chaos: WinLogon.exe vs. WinLogon.exe.... Which one is the integral part of the Windows O/S? Which one is the W32.Netsky.C@mm virus?

Windows NT4/2000/XP/2003 Logon application whose full path is either C:\WinNT\System32\Winlogon.exe or C:\Windows\System32\Winlogon.exe. This process manages users’ logons and logoffs on your PC/Server. The window which pops up and prompts you for your username and password, or which allows you to logoff or shutdown, is the WINLOGON process.

If you have Windows NT4/2000/XP/2003 and the full path for this task is C:\WinNT\Winlogon.exe or C:\Windows\Winlogon.exe , then you may have the W32.Netsky.C@mm virus, or a newer virus. If you have Windows 95/98/ME then you definitely have either the above virus or a newer virus.

AOL in an MS directory, duplicate file names... etc. the potential for conflict is everywhere.... Should we be surprised at the chaos in our systems?

 

Do you think ya have enough homework?? I'm signing off!!

 

I'm signing off now, hope you got enough work!

 

Hmmm.... this looks very interesting. I would very much like to know the entrance door. Let me know and I would write something to detect it.

Perhaps this may lead to something...
1) turn on O/S audit trail log
2) install a real time pc audit trail logger (like pclogger) to try to determine when did it happen.
3) run a disk snap-shot AFTER you have determined that the PC is cleaned 4) investigate if there is any strange ip activities using tools like ethereal or ipticker

 

You can use the checked version of the Kerberos.dll (client) or Kdsvc.dll (domain controller) file and a registry modification to output Kerberos debug statements to a debugger. For optimal reporting, use both checked files on domain controllers. When using symbols of Kerberos DLLs on Windows 2000, the debugger reports a warning that there is a mismatch in the checksums between the symbol and the corresponding executable image.

Access violation in Lsasrv.dll causes server to become unresponsive. When you attempt to add computers to a domain during Windows NT Setup after you have installed the updated Lsasrv.dll file (Lsa-fixi.exe or Lsa- ixa.exe) on the Primary Domain Controller (PDC), you may receive the following error message: "A...."

Discusses how to use the RPC Ping utility to troubleshoot connectivity issues for Outlook 2003. The PRC Ping utility is included with the Windows Server 2003 Resource Kit Tools.

KSecDD
You may receive the following STOP error message on a blue screen: STOP 0000001e (c0000005 f1b51f4b 00000000 80152e00) KMODE_EXCEPTION_NOT_HANDLED in KSECDD.SYS Note that the preceding STOP parameters may vary. This problem can occur when you are...
The cluster node performs a random bugcheck and you receive either of the following error messages: STOP 0x000000b8 ATTEMPTED_SWITCH_FROM_DPC (b A wait operation, attach process, or yield was attempted from a DPC routine. This is an illegal...

This article describes how to restrict the use of certain cryptographic algorithms and protocols in the Schannel.dll file. This information also applies to Independent Software Vendor (ISV) applications written for the Microsoft Cryptographic API....

This article describes ways to troubleshoot and to resolve SCECLI 1202 events. The first step in troubleshooting these events is to identify the Win32 error code. This error code distinguishes the type of failure that causes the SCECLI 1202 event....

WinLogon\MSGina: Gina must be an MS programmer


It seems like parts of the NT source code have appeared in your monitor. I'm afraid that there is no Super Hacker/Trojan here... Just bits and pieces of files used in programming NT....

 

One thing I forgot about that might be worth doing is going into TDS-3, click "scan control" and tick "Scan for Clients/EditServers" THEN scanning in safe mode.
Also run WWDC if you haven't already.

longhorn: I know what you mean, but we can't rule it out completely yet. There ARE tools for doing what is being described, no matter how far fetched you may think they are. Some of the names mentioned by Marja are IIS related, which is used by worms and direct attacks alike. If they had access to gpedit things would be a lot easier. I just don't see anything being ruled out completely yet. I believe that between SafeXP and WWDC at least some of these components can be disabled easily.

sekuritas: agreed, although I'm not sure you can turn on auditing in XP Home, and PortExplorer is probably the more user friendly alternative to Ethereal and such.

 

Yeah.... Look at the posting time.... all of about 30 minutes....

 

0x0-0x3e4 also points to IIS..
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook.WhatIsAWindowStation

(this explains securing these things, but hopefully we can just get them removed)

 

These are all names of Windows system processes - I'd suggest that you've enabled too much logging on your system which is why you are seeing all these reports. It would be better to restrict logging to authentication failures rather than successes to avoid this.

• Rasman - Remote Access Service Manager.
• Chap - Challenge Handshake Authentication Protocol (used to verify via user/password your identity to an ISP when you connect to them), see RFC 1994 for more details on this standard.
• \LSASRV.dll - Local Security Authority Server, used to check and verify security requests.
• WDigest - this is an authentication mechanism introduced in Windows XP for web pages, see What Is Digest Authentication?.
• Lanman - Local Area Network Manager, handles file and printer sharing and supports an older (and weaker) method of authenicating network users used by Windows 95/98 systems.
• KSecDD - "Ksecdd is a very thin component that NTFS calls to communicate with the LSA. Ksecdd is used to set up local procedure call (LPC) communications to the LSA." taken from How Encrypting File System Works.
• scecli - "Provides client side interfaces to the security configuration engine and does Resultant Set of Policies (RsoP) logging during policy propagation." taken from How Security Settings Extension Works.
• DCOMSCM - Appears to be a utility for the Microsoft SQL (Structured Query Language - a standard for searching databases) Desktop Engine. See Microsoft SQL Server: MSDE 2000 Features - even if you have not installed the SQL DE yourself, you may have a Windows component or application that has.
• kerberos.dll - Kerberos is a method of authentication using keys, see What Is Kerberos Authentication? for more details.
• o.dll:NTLM - an authentication protocol, see NTLM for more info.
• Schannel - "A security package that provides authentication between clients and servers." taken from MSDN Security Glossary.
• WinLogon\MSGina - WinLogon handles user logins, running GINA (Graphical Identification and Authentication) which creates the Ctrl-Alt-Del login prompt that appears on startup. This can be replaced if you wanted to use an alternative method, e.g. biometrics. See MSGina.dll Features for more details.

All of these are "standard" Windows processes. While it certainly is possible for some to be compromised by malware or trojans (and some spyware uses similar file names to appear legitimate), their existance and activity is by no means an indication of problems on your system. If in doubt, a Google search on the filename (adding the term site:microsoft.com to restrict results to Microsoft's own website) should provide more details - this is pretty much what I did to find the links above.

The JSI FAQ 2139 » What is the module/service load order of a 'typical' Windows 2000 domain controller? article should give a pretty good idea of how complex a "typical" Windows system can be under the hood (which is one reason why fully securing them is all but impossible). You can simplify things by shutting down unneeded services and Black Viper's site is the best source of information here - but do take things a step at a time since disabling certain services can prevent key tasks like network access.

Also see this Usenet Have I been hacked if... thread for another example of legitimate activity causing concern.

 

Most of the names mentioned by Marja are debugging tools/modules used in developing NT!

Some things don't change and the most basic consideration in this business is motivation.... We are discussing here a system that allegedly calls home, a Super Hacker /Trojan that has survived 3 reformats, a Bios Flash and what else. C'mon. Much as I would like to be entertained by such possibilities, the motivation to do so simply does not exist. You've heard rumors to that effect. I've heard the same rumors. But that's exactly what they are! Rumors!

We cannot insist on attributing super powers to these sleazeware because there is no motivation on their part to acquire these capabilities. Yet. Some things don't change. A super hacker would never break into a system because some gal pissed him off by deleting his MP3 files. C'mon. I can come up with a better scenario. A script kiddie would be a more likely candidate but he won't have the skills to develop such a super Trojan. In the real world, social engineering would be a more effective means to break into a system. Not a trojan application but rather a real live insider breaking into a system from within.

A direct attack would also seem plausible but this would involve DoS to force a core dump and retrieve shadow passwords but then the question arises: What for? A recently reformatted HDD? LOL! C'mon!

What's that you say? It's a dry run? A test? An attack on a poor damsel in distress? Try my IP address: 192.168.0.1 because a Super Hacker's target will be a hundred times more impregnable. LOL! Testing galcoolest's IP is not a real test!

Nah! There's no logic in the Super Trojan line of thinking. I wish there were so things would really be exciting but I'm afraid there's none.

 

I should have looked this up too, but i thought it was already pointless after the first few hits that turned up common window processes. My apologies...

 

Hi All

Firt off, I always mention here to reflash your BIOS before repartitioning and fornatting.

Next unless all these issues are resolved by now here is the

MS page that lists pograms broken by SP2



http://support.microsoft.com/default.aspx?
kbid=884130&product=windowsxpsp2

AS you can see Zonealarm and Norton are both listed. If you have one of these programs on your computer that does not like SP2, how would two or three on the same system react?
Are all these problems with SP2 being caused by every software maker wanteing to have a low level driver? I don't know.

Bruce

 

Have we considered the possibility that Longhorn is the superhacker that is in galcoolest's computer and he's trying to confuse the issue?

LOL. But yes, I agree fully with your guess.

 

maybe she has a computer with multiple personalities, it is called schizzoputer and It is not cheap to have one...:lol

have a nice eve.

I am curious how this evolves....

 

I can just read the headlines!

Super Hacker breaks into civil activist lawyer's computer to retrieve MP3 files that were deleted just to piss him off! Said lawyer has engaged the services of Wilder's Security Forum members to establish prima facie evidence of the crime! There was an uproar in the local DShield.org office who has claimed jurisdiction over the case. However, the lawyer inadvertently filed her complaint with the Feds, much to the confusion of everybody concerned. No names were mentioned in the charge sheet to protect the identity of the suspected Super Hacker....

 

Well DUH!! I knew they were MS progs. What I need to know, Notok and Paranoid is how to keep these busy-work services, and the remote services OFF! As soon as I turn them off, sooner or later, they come right back on. Even after I have logged off.

If MS wants to run all this junk on my computer - maybe they should upgrade it and pay for it! LOL!

If I am on a dial-up, how are they logging on as I log off?
I guess I would also like to know what they are doing? It's not like I am running huge science or math projects, geeez!!

Any help is appreciated, sorry no Super Hacker Still_Longhorn, it would be more fun, huh?