Hacker keeps getting in despite 3 reinstalls

I dunno, right now this looks to me like a matter of having IIS running (running webserver, etc) and being exploited. It's more than possible that Dell decided to put IIS on their XP Home installs (IIS is not supposed to even be on XP Home) and someone happening along these services running. I know that SP2 has a flaw that will essentially broadcast your network info if you have file & printer sharing running.. this doesn't sound to me like either a super hacker or super trojan, but something acheivable by script kiddies.

This is why I recommend completely uninstalling File & Printer Sharing (as described earlier in the thread) to begin with. Next step would be to go into add/remove programs > windows components, and look to see if "Internet Information Services", "asp.net", or "application server" is listed there anywhere and uninstalling it if it is.

Look, longhorn, I'm not just looking for drama here.. I like troubleshooting. It doesn't matter to me what the root of the issue is, as long as it gets fixed. One of the ways you do that is to start ruling out the widest range of issues that you can and then work your way down.. sometimes it takes a while to get down to the information that's useful enough to solve the problem. Outright criticism of the users responses rarely helps in this. If you have some helpful ideas other than "what you're saying isn't possible, you're a moron" then I'd be glad to hear it. (I'll strike that.. I know my methods haven't been exactly meticulous in this thread, but give me a break, alright? It's not like I've got any SOP docs to go on. We'll get there, though.. sooner if someone that actually has experience with what's being described jumps in.)

 

Slowly, the picture is clearing up... The common denominator here appears to be SP2. There appears to be too many horror stories encountered AFTER the installation of SP2 in systems with third party utilities in place. I still have to come across the same problem where a "clean" installation was involved. What does this say? Obviously, the presence of conflicts brought about by third party apps that were supposed to make our systems more secure !

From what I've read so far, it seems that many of your remote services are enabled without your permission thus leading you to believe that someone other than yourself has control over your computer. Being security conscious, I assume that you have set these services from automatic to manual start up at the very least. In effect, what you have really done is prevented these services from running upon boot. However, you have not prevented other applications from starting these services when the need arises. A conflict can trigger this need (who knows what really goes on under the hood?). To prevent these services from being activated by other applications, you may have to set their start up type to "Disabled."

 

Here's a link for that...
http://www.pcwelt.de/know-how/extras/103039/

(this applies to sp2 being applied over sp1)

 

Notok,

There is an IIS something running, MS keeps trying to get me to d/ld .NET, but, it is already on my puter at around 59MB. So, I don't know what that is about. Do you want me to give you names of what is starting up? Like someone here said, maybe they are turning on services it needs?

IIS had to re-register .ASP NET to get IIS to run, also they needed something with .NET CLR Networking. Down at the bottom of the box there are messages in a smaller box. Let's see the ISAPIS search service was successfully removed, then later it is successfully loaded again?? See, it sounds like an ant colony with no winter coming

Things get unloaded, loaded, but I am usually not on-line soWhat is the point?

 

You need to get the IIS components completely removed.. they shouldn't be there unless you are running a server. One of those "extras" that MS should have made admins install seperatly if needed.

I have to go to work very soon, try to get that stuff removed and post what you've done and what you can't figure out. Screenshots are helpful. I'll look more into it when I get home, if needed.

 

I didn't even WANT SP2 yet, I was waiting for the CD, clicked on auto updates to d/ld a patch, left it on and the next day I had SP2. It was really glitchy at first too. I had to go through the whole thing turning on or off things that had been changed. I had no audio, I had to flash my bios too. Pretty much any annoying thing you can think of it did?

So, I had ZA as a firewall then too. Hmm, so are they saying it doesn't matter if you are on a dial up, it acts as its own server? I heard the Pro version has that, not home!! Wow, it certainly isn't serving me, sorry Still_Longhorn, but it DOES sound like a dry run for something when you think of all this busy work!! LOL!

I'll leave you deep thinkers alone, wish I could somehow just show you what the boxes say, I might miss something writing it down?

Think I will find those progs you said to use, Notok and Paranoid.

Thanks!!

 

You've gotta go into add/remove progs and uninstall this stuff.. I'm guessing there's a lot of crap in there that isn't doing you any favors. I'll try to post screenshots tonight.

 

Most internet applications try to act as servers if allowed to! ZA, Naviscope, etc.

Aww... Shucks! close to 10 years of computer security experience down the drain because of a Sandra Bullock movie...! LOL! Oh well....

BTW, I suggest you D/L TUT from http://www.answersthatwork.com/TUT_pages/TUT_information.htm before you run off to look for spies under your bed... and the closet...the garage... and don't forget your neighbor's basement. As I said in a previous post, when you find it, call it HOUDINI... Happy hunting guys!

 

Use a screen shot!

 

You can look under the beds and closets, I'll look in Add/Remove! Gee, and you look like such an innocent kid!!

Thanks, Notok!! It will be fine, I'm sure!!

Later, Marja

 

Visited this link http://www.pcwelt.de/know-how/extras/103039/ and read about so much crap and half truths:

The default for Windows is the bundling of services, hardware and protocol. When SP2 is installed, all previous defaults are re-enabled including Printer/File sharing, Plug and play, and Net BIOS. Most hackers look for Net BIOS vulnerabilities as this is the most common one. In fact, the Legion v2.1 can scan the net for the presence of Net BIOS and map any system's drive found to have it with a simple click on a button. Therefore, Net BIOS and file/printer sharing have to be unbundled (as they are not needed) in most cases.

Duh? This is not rare because of the "lightning won't hit me" attitude of most internet users. Or just plain laziness. I have seen too many systems that simply use the default passwords provided by windows. In fact, in Hacking 101, the first passwords tried are the known system default passwords and in many cases this will suffice. Another fact is that in 1 out of 20, passwords are the same as user names. Plain laziness or just plain stupidity!

 

Yeah sure! I worked on a Criterion 8500 (NCR Mainframe) when I was 20, (too old by today's standards) so I am starting my daughter young... she's 2 and well on her way....

It should be! There's nothing wrong.... No offense intended.

 

Windows - like every other complex operating system, has overheads. Housekeeping needs to be done, features need to be supported, hardware needs to be monitored. If all this complexity bothers you, then remove Windows and install DOS (or FreeDOS) instead. No background processes there, just drivers, TSRs and the struggle to free up as much of the first 640K of memory as possible.

Pardon me for being a little blunt here, but my previous post had 10 links which would have given you plenty of information. Given that I spent over half-an-hour digging up those links, at least you could have the courtesy to spend a few minutes checking them out...

 

Imagine your home network. Imagine the file/printer/resources sharing enabled in your trusted home network environment. This is the environment Windows was made for. Nice & cozy, right?

Now, extend this configuration to go across the street, then the next city, next country. Great, right? Now everybody in your family can access files across the street, next city, next country....

Unfortunately, this works both ways... the ease by which anyone in your family can access data across the street is the same ease that whoever lives across the street, can access all your data. Bummer, you say?

Welcome to windows! This is what we had when the World Wide Web came into being and they're just beginning to play catch up!

MS doesn't want an estimated >250,000,000 users calling Support for instructions on how to turn on certain features of Windows so they left these features on by default. Great for MS. Score 1 for the baddies! LOL!

 

Best advice thus far! Windows XP is a very complex system developed to be everything to everybody. Who knows what the smallest bug in its code could do? or the minutest conflict? When MS developed it, third party applications were the least of their considerations. SP2 was long overdue and by the time of its release, millions of systems had third party apps in place... And most of you expect a trouble free upgrade to SP2? C'mon! For crying out loud! It's easier to check for conflicts than to look for imagined spies. Rule out the conflicts then I'll join you on your spy hunt...!

 

And what do you think I've been trying to do? I've been reading between the lines. Have you?

SP2 does not broadcast file and printer sharing... but any network scanner worth its weight in salt can determine the presence of file/printer sharing (whether or not SP2 is installed)... Thus, the fault is with Windows for making it the default and the user for leaving it enabled.

Any hacker, script kiddie and alert Sysad will always test for this vulnerability. This is relevant only when one needs access to an entire network (as this feature provides the means & infrastructure) but useless to hackers or script kiddies where stand alone systems are concerned.

 

Lesson learned, I'll keep the rest of my responses private.

 

For chrissake Notok! This is a forum where there can be as many points of view as there are participants! There were no attacks on personalities... just on the ideas/points discussed.

 

No offence meant or taken, longhorn, but I will take my end of the convo to PM to further avoid the complicated miscommunications I see developing.

If you have further sources for me to explore, I would greatly appreciate it.

 

Guys--


I was not able to be online since Tuesday- and notice much more input has been ingregrated since then- have to read it all carefully and assimilate.
I agree, this is all most probably an SP2 conflict, not some Super Hacker- but as a relative novice it sure looked that way. As I am now on ME for the quiet of it all, I'll read up, learn and get back to you folks.

Thank you people SO MUCH for your generous level of response and insight- I am so impressed and grateful at the outpouring of help you are offering.

I will get back here ASAP as soon as I clear up some email priorities and can read what all you all are telling me.

Thanks again,

Gal

 

Well, I sure didn't expect to find such enthusiasm still going on!

Paranoid, I have nothing but respect for you and read your posts all the time to learn what I can!! I am sorry if my flippant attitude angered you

Your information on the progs and the links are full of information, as you said, unfortunately, I am still learning all of this, most of your links will take alot more time for me to understand and learn from. I am still very much a newbie at the what, how and why of computers!! You have given me a fine gift, plenty of homework learning about something I really want to understand!!

Still_Longhorn, I don't know you, can't understand your "frustration"? Some of us would rather not talk at all, then be talked down to.

I came here, in the first place, because I thought I could help someone, who sounded soo upset and tired of not getting anywhere, I know how it feels to see your computer totally crash and not be able to do anything about it!!That is why I came to this forum, I stayed because of the helpful friendly people.

The reason I am here now, WAS to post the screen shots you said you wanted, S_L, but, maybe it is better to leave well enough alone.

Thank you all for your helpful, if somewhat daunting, advice!

Marja

 

Just wanted to add that I am gleefully enjoying total peace and quiet and cleanliness over here with ME on my PC- Trend and Panda are scanning me clean as a whistle, and the whole spyware-warrior crew (adaware, spybot, etc.) do find the regular nuisances, but they're easily 86ed.

I am involved in an Ebay auction for the Pro edition- and realized ater I friggin bid that's it not over for two more days, so looks like I'm hanging in limbo with ME til Saturday or so (can't retract the bid, cus I don't qualify for it).

But in the meantime, I am going to keep doing my homework about of alll of this. And I reiterate- thanks all of you contributors for spending the time and effort to join in with your insights on this- I never imagined so many would post! It's a great help, and I am truly grateful....

 

GalCoolest, it is good to know you are having a peaceful day!! Glad your ME is working for you!!

Notok and all,

These are some screenshots of my Event Viewer, if you know how to post more than one, let me know!!

 

That one is what started it all for me.
Some of these are too big, I guess, tried to make them smaller.

 

I was going to try to keep them in order as they appeared, but the server had different ideas.