none
Help Dell Laptop turned into a Server RRS feed

  • Dotaz

  • I am posting this here as my Laptop has been turned into a Windows server without my consnet. I do have Group Policy setup but I have no control over the contents.

     

    I need help with a serious hacker issue. Someone, somehow has complete control over my system. I have a Dell Vostro V13 laptop running Windows 7 Home Premium 64bit. Memory is 4 GB DDR301333MHz SDRAM, 1DIMM with Intel Core Processor ULV i30380UM (3M Cache, 1.33GHz, 800MHz FSB). It has a 500GB SATA Hard Drive. This issue has been going on for some time now (possibly up to 1 year) but it has gotten much worse as time has gone on and the hacker(s) have gained more control over my system. This actually started on a previous laptop I had.

    The hackers have turned my machine into a server and are using it to either play games or to resell bootlegged software and or maybe to gain personal information on me. Not entirely certain of their motives but it has caused me many, many problems. At one point I found a reference to allowing up to 100 client connections into my new Dell server. Here are some of the odd things I see.

    My OS Build Version shows 6.1.7600 Build 7600. When I run the Dell diagnostics utility is show something in the 4,000 range. This is the same build version I showed on my previous Laptop but it had the Home Starter Windows Package loaded.

    My boot device is \device\Harddiskvolume1. I don´t know if this is strange or not. My hard disk is 0.

    I have been placed into a domain and do not have complete administrative control over my system. I have admin rights but the domain server admin has more rights than I do and this person is the hacker.

    Installed Physical Memory is 4GB
    Total Physical Memory is 3.8GB. I believe the hacker has used some of my memory allocation to reside their malicious software.
    Available Physical Memory is 3.35. This is after a safe boot load.
    Total Virtual Memory is 7.6 GB. I have tried to uninstall the virtual memory but it keeps coming back.
    Available Virtual Memory 7.14.
    Page File Space 3.8GB. I have tried to delete the page file but I can´t. I also have what is called a hiberfil.sys file on my system and this is currently 4GB in size and I can not delete it.
    Page File c:\pagefile.sys

    I am now fairly convinced my problem is somewhere in the memory. I think a Ramdrive or Ramdisk loads at boot. I have a 500GB hard drive but I can only see 465BG. The remaining disk space is reserved for a X: drive that I can only see and navigate to when I get into a System Restore mode and get into the command prompt. Once I get into the z: drive I can see all sorts of files that I do not believe belong there. I have attempted to remove the files but they all recover at my next boot. I have even seen them recreate themselves before my very eyes after I deleted them. I can´t delete every file. Many are protected and I do not have the sufficient admin rights to delete them nor can I can gain those rights. I have tried to reformat the z: drive but I have been unsuccessful. I get a write protected error I have however been able to format the c: drive but this did not resolve the problem.  I have now reloaded the OS over 20 times in the past month and this is now becoming clear that it will never solve my problem. When I run the set command from the c: drive many of the settings are different than when I run that command from the z: drive. As an example the Computer Name is different. It is as if I have two computer´s and two OS ´running at the same time. One for the Domain Administrator (i.e, hacker) with complete control and one for me which allows the hacker to see everything I do and to prevent me from gaining access to my own machine.

    I believe the hacker has a system image and has a CDROM capable reboot. I do not have the technical knowledge to understand how this all works but I do now this person is accessing my system at blinding speeds. He or she is somehow contacted every time I gain network access as the moment I get online they are in my system. I have tried to prevent this via the firewall but last night the hacker just deleted my firewall. They also took over my USB dongle I was using for Internet access. They change the PIN on one of my SIM Chips which prevented me from accessing the service. I had another SIM Chip with a PIN already programmed into it and they just modified the USB software to disallow the use of a PIN. I watched as this person had internet access via my system and I was denied access somehow. One thing that I am preplexed about is how this hacker is gaining access to my Laptop. They seem to be able to access it even when I am not connected to the internet. I have found hidden files that are called hiddenpbx. I do not know if this is a back door or not. I delete the files but they always come back.

    When I look at my memory resources I see IRQ 81 to IRQ 190 reserved for a device called Microsoft ACPI Compliant System. This seems odd to me. This is a lot of upper memory reserved for something.

    All my Dell devices that came reinstalled have been replaced with some generic devices of unknown origin or these so called Microsoft Compliant Devices. Every time I reinstall the devices they last a day and then are replaced.

    Every time I reload the OS I run across strange log files that reference this x: drive. It appears as if the OS is actually being reloaded with some bogus or bootlegged OS vs the being loaded from the OS CD Dell sent to me.

    There is all sorts of information I can provide, but I am not certain what would be most beneficial. I need to leave this up to the experts. So if someone could raise their hand and give me some help I would appreciate. I know someone out there in cyberspace can fix this problem without too much sweat, but I do know this issue has gone on for some time now and this hacker now has complete control over my system. I understand it may take some time to undo what this person or these people have spent many hours creating, but I need my system back. I would be willing to offer some sort of compensation to the person who can get my system back into my hands. I do not have much money but I will certainly offer what is deemed fair in this situation. I am at the point where I just want to throw this Laptop into the thrash can.

    I can´t spend a lot of time speculating as to what may be the problem. I need to know what the problem is and to have it fixed. I currently am not using that machine to access the internet or to send this Post. I have to use an Internet Cafe so my access to the internet is much more restricted.

    Thanks in advance for any help someone my be able to provide.

    čtvrtek 4. srpna 2011 18:46

Odpovědi

Všechny reakce

  • Sorry to hear of your plight, at this point it may be wise to seek out a IT guru local to you, take him your laptop and a new un opened USB hard disk.  As him to recover your documents and files, and tell him your infected or exploited with malware so he can take action to pro-activly scan your system prior to saving your files.

    At that point I would format the system completely with a fresh install, turn up MS security essentials, enable the firewall, and start an active backup process once your done rebuilding your laptop.

    Something does sound off with your system.

    On the bright side, your not in a completley unrecoverable situation since you still maintain access to your system.


    :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    • Navržen jako odpověď Jason Hiegel čtvrtek 4. srpna 2011 19:45
    čtvrtek 4. srpna 2011 19:44
  • Thanks for your reply. I have takn¿en my laptop into a repair shop 4 times now. They were not the Guru´s I hoped for. I have nothing on my system that is needed. No documents or files needed. The problem is the fresh install. If I have something hidden in memory I do not believe a fresh install will solve the problem. That memory block allocation needs to be removed. I think I can do it via the device manager but I do not want to make a mistake.
    čtvrtek 4. srpna 2011 19:51
  • Oh and by the way - this is not malware or a virus. This is old Microsoft device software that has been loaded onto my machine. Virus and malware scans turn up nothing. It looks like legit software as it is. It is just old and highly vunerable to security issues. I have Microsoft device software from 1996 on my laptop. This seems a bit old to me but maybe I am wrong. It is this combination of old technolgy and new technology that is so problamatic. They have complete control over my system and know one knows how to find it and rid my machine of it.
    čtvrtek 4. srpna 2011 19:59
  • Here's what I'm thinking, but I'm not completely familiar with current hacking trends...

    First, they can NEVER get to your machine if you're not connected online. So the $60,000 question would be, what ISP do you use?

    You don't necessarily need to publish it here, but the next question would be, do you have a static IP address? If it's not static, then it seems unlikely that they can "track" you from across the web somewhere.

    So the next question is then, are you working off a wireless LAN? If you are, I do know there are numerous hacking aids for determining someone's wireless key and gaining access to their WiFi networks. It would also make sense because they are close by and can tell much better what may have changed (if anything), as opposed to criss-crossing the network over obscure IP connections.

    If you are wireless, my suggestion is to go cabled. In order to hack into a cabled system, one has to have physical access to the cable. That's a lot tougher hill to climb than capturing someone's radio waves.

    You could also change your WLAN key (go with the most secure available on your router/modem) as well as your SSID, then turn off the broadcast of that SSID. If no one knows it and can't see it being broadcast over the waves, they can't know what it's called and can't hack it (I think. lol).

    Finally, I would also suggest that you can indeed wipe your machine such that any hidden programs or files would be lost, for all intents and purposes. Unless someone has physical access to your machine, when you repartition a drive, even though the files are still buried on the disk, there's no way to remotely "wake up" a "sleeper cell" of program code or whatever that I know of.

    Oh BTW. I just read recently about something like this in Michigan or something. A man was arrested for making his neighbor's life hell. He set up a social networking site in the neighbors name, sent uncomplimentary emails to important people from the neighbors computer, and generally wreaked havoc with his digital life. It was like out of a bad movie. But he did get caught. Perhaps you might involve the authorites?

    I wish you all the best. Take assessment of how you think they might be getting access, and take some counter-hacking steps to foil them...

    I sure hope this is helpful to you and wish you all the best...

    Cheers,

     


    Noel Stanford Oveson
    jeremyNLSO
    CNE, CLSE, MCSE, MCTS, MCITP
    Berlin, Germany




    čtvrtek 4. srpna 2011 20:18
  • I have not encounterd any rootkits or exploits that have survived a complete hardware wipe of a system, a low level format of a machine is where to start, installation of windows 7, and then applying updates and patches, installing the MS security essentials, and enabling the firewall. 

    Do not re-install copies of software a buddy gave you. 

    I would not take it to say "a mega chain store with funny cars" and expect miracles, I would look at local repair techs near where you live, who actually have experiance with this.  I would also pro-activly run scans against any USB thumb drives or hard disks that you might co-mingle with other divices.


    :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    čtvrtek 4. srpna 2011 20:19
  • Thanks for the reply. I thought the same as you with regards to the NEVER get to your machine if not online. I do not think that is true anymore. Apparently these people are using sometype of Bluetooth technolgy to access the system. At least this is what I think. I just found an active USB Device Hub that said it was good for 6 BT connections. I deleted that. My system is hosed. Anyway, to answer your question. I use a varity of ISP´s. In my home I have Telnor. They are the local telephone company in Baja California as that is where I live. It is ADSL service. I can tell you for a fact they are not very secure and I believe they were the start of my problems. I stopped using the WiFi from the Router they gave me, but that did not help. I also use Telcel wireless USB access and TMobile USB access. It does not seem to matter who I use anymore. My system calls home to the hackers whenever I get online from any ISP and then they have my new IP address. This seems fairly secure once I get into the network but these people had access to my computer before I could even access the network. I do not have a static IP address. Although at time it looks like I do becasue these hackers have done some funny things with my IP routing tables. I did everything else you mentioned many times over. I thought I was secure by doing those things and then I noticed these hackers had been in my system and using my IP access the entire time. Since they are riding on a partitition and have access to my desktop they can gain access to the Wifi even if it is not broadcasting. They only need the code and that is easily obtainable if they have access to my ISP access information.

     

    BTW-I do believe my problems also started with a neighbor. He used the WiFi signal and Microsoft Easy Transfer to begin this nightmare. While I could give a hoot if someone posted shit about me on the Internet, this person has still made my life a living nightmare and it is also a bad movie.

    čtvrtek 4. srpna 2011 21:30
  • The truth is I would feel better taking it to the big guys versus a small mom and pop. I took it to the mom and pop 4 times (2 different) stores and they did not have a clue. Now I am certain this would not be true with all the mom and pops but at least the big guys may have the resouces to help out a little more. I am not an expert on this but I was reading that if I am just a user on párt of a domain the administrator of that domain can have an image ROM and reimage any and all computers that are part of that domain AND with the right software this can be done remotely. True or not. If true, then your statement may still be correct but thus far I have not been able to make it work with the primary reason being that x: drive is write'protected and so are most of the files that reside on that drive. I do not know how to unprotect the disk or the files from that drive. I can only use DOS or WIN32 commands from that drive. I do not have access to windows as far as I know. Your instructions are basically what I have been trying to do.

     

    So - anyone know what command to unprotect a drive and the or the files within the drive. I tried using the attrib and takeown command without success.

    • Navržen jako odpověď Psylosyphyr čtvrtek 10. ledna 2013 20:23
    • Zrušeno navržení jako odpověď Psylosyphyr čtvrtek 10. ledna 2013 20:23
    čtvrtek 4. srpna 2011 21:40
  • Hi Michael,

    I understand you current situation. However, generally speaking, it is recommend that you have a reinstallation or restore the computer from a previous backup if you think there is a hacker/virus issue on your computer.

    By the way, for the virus issue, visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. 

    .

    Also, you can check Microsoft Security and Privacy Web site at:

    http://www.microsoft.com/security/

    Best Regards,

    Vincent Hu



    pondělí 8. srpna 2011 5:54
    Moderátor
  • Hey Vince-

    I have the same problem but on 2 Dell laptops. It's also affecting every cell phone in my house now. As I type this, I have been closed out repeatedly.  A clean install won't do it. I've had 4 new hard drives (2 per laptop), a new memory,  battery and motherboard in one of them.. and countless clean installls.

    The first thing I did was call Microsoft PC safety and was pretty much ridiculed when I said a clean install did not fix the problem. They are all about the "scan results". Well Vince, I've looked at every file on both laptops - through the registry keys. All of the files of my laptops are locked. - And here's the deal, the hard drives (each with a segment missing - the 500G like Michael's is 465.8 G) my laptops are "virtual" and the MBR is in the DVD drive on one and in a phantom USB drive- drive E:-  no drive installed on either laptop but the icon is on both- I can even remove it with safely remove hardware - but it's there after each reboot.

    I know I am on a server, the registry proves it. I think I may be on more than one. I have active services for both Server and Workshop, as well as about 6 Remote services, several DCOM services, the Group Policy service - and I am a totally lackey in that organization. My function is to pay the internet bill, several P2P services, and a bunch of Windows Media services- extenders, networks, blah blah blah.

    I also have the same legacy hardware installed in my device manager but nowhere on my coiputer.. and it causes a boat load of crashes. Oh, and yes, the memory is totally involved but I haven't figured out how it plays in from what I've been told about how the memory functions.

    Oh, I finally figured out why the scans come out clean.. there are a ton of snap ins in the MMC..  "they" pull them in and out. In AVG, I can not scan my network files  - the ones I'm not even supposed to have.

    So Vince, I've spent about 500.00 in the past 6 wks and gotten nowhere.. that does not include the cost of the hardware.. both laptops are still warrantied. If you've got any better ideas than PC safety or a local shop, please get in touch.. I have a lot of other particulars which might be helpful.

    However, I am basically typing this with the page and cursor jumping all around. It sucks.. it absolutely sucks.

     

    pátek 2. září 2011 21:53
  • Michael,

    I have the same thing on 2 Dell laptops. If you've found a solution, please let me know. If not, I have a lot of info I'd like to compare. Thanks.

    pátek 2. září 2011 21:55
  • Couple of things here. 

    Your installed physical memory being lower than the actual physical memory is normal.  Some PC manufacturers use that for on-board video and other devices so I wouldnt be as concerned about that as the OS issues.

    With regards to your OS issues, let me ask a question here.  If you do a clean installation from DVD and never connect it to the internet cafe that you go to, does the problem reoccur?  It sounds to me like what you have happening is a bot of some sort thats on the network of your internet cafe and once you join that network you get instantly owned by whomever has their software there.  It might explain why your phones also act that way (which is odd to me), if they are being connected to that same cafe network.


    --Joseph [MSFT] http://blogs.technet.com/b/joscon/
    sobota 3. září 2011 13:13
  • Hey Joseph,

    Thanks for your response. I don't go to internet cafes, starbucks or anywhere else. When I use my laptop outside of my home, which is not often, I have a Verizon USB modem. Yet, I haven't used either laptop away from home since late June. None of that really matters, as my home network is totally screwed. Right after all of this started, I paid a professional to come reconfigure the network with a new Belkin ND 600 router. I am now locked out of that. The password has been changed from that with which it was set up. NO, a hard reset does not take it back to factory standards. I've tried countless times, please do not ask me something stupid like how long I held the reset button. Just take my word for it, the reset button does not reset anything. I set the Windows firewall to default with all incoming traffic blocked but within minutes it's changed.. there's a snap in that dictates the setting.. I didn't even know about snap ins until a couple of weeks ago... not about snapins, group policy or the MMC.. I've learned a lot.. just not enough to get this mess straight. Plus, no one with whom I've spoken feels any of this is legitimate... The guy who came to the house did, but that was in the beginning and he said it was just a faulty hard drive.. 2 new hard drives on each laptop later, I think it's safe to say it's not the hard drive... speaking of which this laptop should have a 500GB drive but it shows only 465.8GB.

    Regarding the clean install, there is no such thing. I just reinstalled the OS on the Win7 a few hours ago. My files came up exactly as they were before the installation. Out of curiousity, to see if it was booting from the CD drive as it was set to do, I disabled the hard drive in the BIOS and put the OS disk in the CD drive. When I started it up, I got an error that there were no bootable devices. Not only are my files intact after a reinstall, all of the server files (the server that I'm not supposed to be on) are intact, including the group policy settings I didn't create (and which limit me to basically read only while giving the "TrustedInstallers, SYSTEM and CREATOR OWNER" all of the admin rights (I am the only user of both laptops), the snap ins for scheduled tasks, the device manager and disk management. The registry is full of keys relating to servers - BDE UI server, ACC Radius Server, BYOT.BYoT.Server.ext, there are others but as I type this, the cursor is going everywhere. Actually, this is my 2nd attempt to reply. Initially, I was replying directly on the website but as I was typing, the page turned and my reply was gone. I'm using notepad now, hoping to be able to save the text long enough to copy and paste it on the internet.

    The device manager shows tons of hardware that is not on this laptop, including drivers for RDP.. I can't remember all of the letters right now, but it's the remote desktop protocol. My running services show a service for Server, Workstation, Remote Registry, the list goes on.. I have a problem, Joseph.. a big problem. One I've spent lots of time and money trying to correct.. and have gotten nowhere. If anything, it's worse than when it started in early July.

    From what I see looking at the files, there's some spamming, video game playing and music sharing going on through my laptops.

    As to the phones, I'm now at 3 trashed phones. The Verizon techs agree, they've never seen anything like it either. Last Friday, there was an addition made to my plan for data usage.. I didn't make it. I do not use the internet on my phone. At any rate, there is also a registry key for synced mobile devices..  no names of devices, just long strings of numbers..

    If after reading this, you have any suggestions, or guidance I would be extremely grateful.

    Thanks,
    Missy
    pondělí 5. září 2011 13:46
  • Missy;

    Again, some of these things are "normal", the trusted installer, remote registry, workstation and server services are all supposed to be there.  The fact that you cant actually use the laptop is the real problem here.  I would agree that I dont think that it's a hardware related problem but is a network related issue (although it still doesnt explain your cell phone problems).  My advice would be to either open an actual support incident with our security group here at Microsoft or if you still want to continue down this road then I would rebuild one machine completely from media, not connect it to the internet in any way and then see what your results are.  Next I would add the system to the internet via only the cable modem (not via the router) and again check the results.  If both of those tests work properly, perhaps something is on the router that is causing the problem.

    I'm curious to know how you're determining most of these other things are occurring though.  For example, how do you know there is gaming taking place on your machine?  Do you have remote assistance turned on?  If so, maybe try turning it off and check the results.

    All in all you've got a really odd issue that if a rebuild doesnt work its really hard to tell you what the next steps are without physically seeing the problem.


    --Joseph [MSFT] http://blogs.technet.com/b/joscon/
    pondělí 5. září 2011 15:52
  • Hey Joseph,

    As soon as I sent the last post, I realized I'd forgotten to mention why I haven't gone to a wired connection... I am not able to install an 10/100 network controller. I just tried again a couple of hours ago. Using the Dell driver disk on either laptop, I am able to start the installer but then get an error message that the driver is not compatible with my computer. Again, it's on the disk that came with each of the respective laptops. That's been going on for about a month. Additionally, when I install any drivers off of the CD, I get additional programs. Yet, for the past 8 weeks, nothing is as it should be with my computers. For example, the wireless network controllers on the disk are the 1501 and the  1520 dell wireless network cards. Yet, when installing, I don't get either of those. I get the 1397 Dell wireless driver (not on the disk), as well as Cisco EAP, LEAP and PEAP.. I didn't know what they were before checking them out on the internet. I've also had Microsoft visual Basic C come in with files that were supposedly installed from the Dell disk.

    I do realize that some of the things I mentioned in my previous post are typical - ie the trusted installers and some of the services. However, within the current context, they're anything but normal. I've had the "trustedinstallers" block me from deleting one of my files. While I definitely DO NOT have remote access enabled (I've always been very careful about keeping that feature disabled), I do have 6 remote connection related services actively running, in addition to 2 P2P services. I am not able to stop them from running, the disable feature is grayed out. I am also not able to stop the Group Policy service, or the 4 DCOM services. Nor am I able to uninstall any of the MANY drivers for hardware I do not have from the device manager, I started to say from the computer but they're not on my computer... The device manager within both of my laptops shows my computers as an ACPI compliant system. There is also another computer shown with a driver called HAL.inf. There are NUMEROUS drivers for SM BUS hubs, tons of PnP drivers which show locations other than my computers, way more networking drivers than any one computer would ever need, including terredo tunneling and link to link mapping, there is a remote mirror driver, a RDPDD driver, PCI bridge, just all kinds of weird stuff. I've had one of these laptops for over 2 years and used it over 8 hours a day. I am very familiar with it. I know what is normal.. even if I didn't have all of the other weird stuff (quite a few emails from friends I've not received, a new account on ancestry.com I didn't set up, a Windows Mail account I didn't set up and do not have access to, unauthorized online changes made to my verizon account service plan), the current configuration is not the laptop I've used for 2 years.

    speaking of verizon, the phones were synced to the computers using the standard Windows sync program. Thereafter, programs were installed on them that could not be removed, the key settings were no longer standard (I have the original manuals to all of the phones which documents this) and on one, it was impossible to set the NAM.. the setting key is no longer for that function, it's just gone. With Verizon's guidance, I attempted to restore all three to factory settings. We went through the entire process and then couldn't reactivate the phones.. it just wouldn't go through. Additionally, the restore which should have wiped all of the info from the phones, removed nothing. Bottomline, they are all worthless now. They can't be connected without being programmed/ reactivate and that is not happening. I worked with 2 different Verizon reps. Both said they had never seen anything like it.

    Regarding my awareness of the type of activity taking place, I've copied and pasted the contents of a file stored on the laptop I'm currently using. The file is entitled UserConfig.xsd:

    <?xml version="1.0"?>

    <xs:schema
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns="http://www.cisco.com/CCX"
      targetNamespace="http://www.cisco.com/CCX"
      elementFormDefault="qualified"
      attributeFormDefault="unqualified">

      <xs:element name="eapCredentials" type="EapCredentials" />

      <xs:complexType name="EapCredentials">
        <xs:sequence>
          <xs:element name="username" type="xs:string" minOccurs="0" />
          <xs:element name="password" type="xs:string" minOccurs="0" />
          <xs:element name="certificate" type="xs:hexBinary" minOccurs="0">
            <xs:annotation>
              <xs:documentation> 
    SHA-1 hash over the whole binary certificate in X509 format that uniquely identifies a certificate in the OS managed store.
              </xs:documentation>
            </xs:annotation>
          </xs:element>
        </xs:sequence>
      </xs:complexType>

    </xs:schema>


    Over the past month, I've looked at every file, every registry key on each of my laptops. There are all of these certificates (x509 and others) that are protected files. cimcontent.com is somehow related, it's referenced in a bunch of the files. There is obviously a relatively strong internet presence as every page I go to is a redirect, even my comcast home page. I have over 20 active x controls that are all run without permission, and we're not talking adobe flash or shockwave, these all relate to scripting.. there's even a plug in for a scripting dictionary I use Firefox and you can see the web address not just in the browser address bar but in the bottom left side of the page. The browser address will show one thing and the bottom left of the page shows another. Whoever this is has access to encrypted web pages because I've looked at my bank account online from here and although the page is encrypted, the page info and certificate on my bank's web page says that PNC Bank does not claim the site. I went to my sister's and checked it out on her computer where the certificate showed PNC as the owner of the site and supplied contact info. I have active "Saved Game" files.. I don't play games. Several of my friends have had their email accounts hacked recently and I'm pretty sure I was unintentionally the cause. As I type an email, my cursor goes up to the email address typed in the address window or if I'm reading a group forward, it bounces like crazy across the group of email addresses. Finally, not finally in actuality but finally as in I'm tired of typing with the cursor jumping all around, I know there is heavy activity on my internet connection as comcast keeps an account of how much you've used, I am at like 20GB this month.... WAY beyond my usual usage. Oh, and also, especially at night, the task manager will show my computer is being used at like 50% of it's capacity, and I'm just looking at the task manager, not running any programs. If I click show processes from all users, the list of running processes quadruples and shows multiple CPU IDs.

    Windows Media Center is a huge part of whatever is going on, as is Windows Sidebar. Oddly, WMP is set as the default program to open some text and executable files, as well. Ease of Access Center is also a player, along with the Easy File Transfer. As Micheal (the original poster in this thread said) the DRAM is involved too. A lot of the weird programs show installations in memory addresses.

    Joseph, Microsoft was the first place I called. I agreed to a 60.00 fee upon resolution and gave my credit card number. I think I still have an active case number but after several calls of being told a clean install will solve all and being treated like I was an absolute idiot, I gave up. Listen, it's not the money.  Had there been a resolution, I would have gladly paid any amount asked. Yet, the only thing I was told was a clean install will fix all.. and I get that mentality. I thought that too... but it is not the case in this situation.. and no one seems to want to hear that, listen to that. I also have had numerous conversations with various reps from Dell.. they will keep installing HDD until the cows come home.. I bought the 3 year "anything" extended warranty on one of these laptops... they have definitely lost money on that deal. I called AVGs fee based service too. Locally, I've paid an IT guy several hundred dollars to come to my home, work on the network and reinstall the OS in one of the laptops.. posting on the internet is my LAST resort, not the first.

    I make my living selling on ebay. Typically, I make a very nice living. Now,I'm afraid to look at my PP account. My gross income for the past 8 weeks is down around 20,000. If I don't get this squared away soon, I won't have to worry about it. I won't be able to pay my comcast and verizon bills and will have to sell the laptops to buy a something to eat off the dollar menu at McDonald's.

    Again, any ideas, any guidance will be appreciated. Thanks so much for your time.

    Best,
    Missy
    úterý 6. září 2011 5:52
  • Missy,

    I am the one who started this thread. I just got my machine back up today after installing Win 7 Ultimate for about the 25th time. It appears as if when I loaded it on 2 separate partitions it confused the hackers malicious software. It gave me some time to lock down my system before the bad guys got to me. They are still out there. I installed some Network tracking software and I am seeing all sorts of strange service requests coming out of my machine. It appears as that as soon as a network connection is made the software is programmed to send out a call home packet. This gives the folks a heads up that I am back up and working and they can start to utilize my machine for whatever purpose they have.

     

    Your problem is exactly the same as my problem. I think I have uncovered what is happening (read the post after this one), but I really do not know how to clear it out of my system at this point. I have so much junk on my computer that I think it may be impossible to clean. I need for Microsoft to tell me how to get rid of WinPE, Active Domain and NT. Now I now some of these software components may be build within Win 7, but what has happened is clearly the work of some bad people that have caused my much pain and loss of income.   I just found a program that gave me a decent report of my driver problem. It is long, but I think it is important for Microsoft to see.

     

    This is the crap that has been loaded on my machine and I can't remove these drivers. They are set up so that I either get an Access Denied error or should I delete them I get the Blue Screen at my next boot.  The one thing that I was able to do and it has thus far seemed to help, is I noticed all my the Services I had running were set-up to tun in a shared process. I think this allowed multiple people to utilize the same services. I changed most of them to run in their Own process by issuing the following command line options "sc config 'service name' type= own". Now I was not able to change the key one which I have all long believed to be my problem - The Group Policy service. I am screwed if someone else has Super User Admin rights while I only have Local user admin rights. Once I installed Win 7 Ultimate I immediately saw the difference as this product has so many security options that it makes my head spin. 

     

    PS - I am not able to send the files that show my Driver problems as I get an error message stating it is too big. I will send it under a separate post.

     

     

     

     



     

    úterý 6. září 2011 7:24
  • Microsoft AC Adapter 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Dell Touchpad 15.1.12.0 2010-09-03 Synaptics Signed

    ACPI Fixed Feature Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Programmable interrupt controller 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    System timer 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    High precision event timer 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Direct memory access controller 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Standard PS/2 Keyboard 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    System speaker 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    PCI bus 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    System CMOS/real time clock 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    System board 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Motherboard resources 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Numeric data processor 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft ACPI-Compliant Control Method Battery 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    ACPI Power Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    ACPI Lid 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    ACPI Sleep Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft Windows Management Interface for ACPI 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    ST Micro Accelerometer 1.0.0.12 2010-08-18 ST Microelectronics Signed

    ACPI Thermal Zone 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft ACPI-Compliant System 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Bluetooth Device (Personal Area Network) 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Bluetooth Device (RFCOMM Protocol TDI) 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Generic PnP Monitor 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Generic PnP Monitor 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    IDT High Definition Audio CODEC 6.10.0.6295 2010-08-05 IDT Signed

    Intel(R) Display Audio 6.12.0.3047 2010-02-03 Intel(R) Corporation Signed

    WDC WD5000BEKT-75KA9T0 ATA Device 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Realtek PCIe GBE Family Controller 7.23.623.2010 2010-06-23 Realtek Signed

    Intel(R) processor DRAM Controller - 0044 9.1.1.1022 2009-10-28 Intel Signed

    Intel(R) HD Graphics 8.15.10.2154 2010-06-21 Intel Corporation Signed

    Intel(R) 82801 PCI Bridge - 2448 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) HM57 Express Chipset LPC Interface Controller - 3B0B 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) 5 Series/3400 Series Chipset Family 2 port Serial ATA Storage Controller - 3B2D 9.1.1.1013 2009-06-04 Intel Signed

    Intel(R) 5 Series/3400 Series Chipset Family 4 port Serial ATA Storage Controller - 3B2E 9.1.1.1013 2009-06-04 Intel Signed

    Intel(R) 5 Series/3400 Series Chipset Family SMBus Controller - 3B30 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) Turbo Boost Technology Driver 1.2.0.1002 2010-02-26 Intel Signed

    Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller - 3B34 9.1.1.1020 2009-08-20 Intel Signed

    Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller - 3B3C 9.1.1.1020 2009-08-20 Intel Signed

    Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 1 - 3B42 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 2 - 3B44 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 3 - 3B46 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 5 - 3B4A 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    High Definition Audio Controller 6.1.7601.17514 2010-11-19 Microsoft Signed, default

    Intel(R) Management Engine Interface 6.0.0.1179 2009-09-17 Intel Signed

    ATA Channel 0 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft ISATAP Adapter 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Teredo Tunneling Pseudo-Interface 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    ACPI x64-based PC 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    File as Volume Driver 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Composite Bus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft Composite Battery 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    @%systemroot%\system32\drivers\afd.sys,-1000       Unsigned

    AVGIDSDriver       Unsigned

    AVGIDSEH       Unsigned

    AVGIDSFilter       Unsigned

    AVG AVI Loader Driver       Unsigned

    AVG Mini-Filter Resident Anti-Virus Shield       Unsigned

    AVG Anti-Rootkit Driver       Unsigned

    AVG TDI Driver       Unsigned

    Beep       Unsigned

    @%systemroot%\system32\browser.dll,-102       Unsigned

    CD/DVD File System Reader       Unsigned

    @%SystemRoot%\system32\clfs.sys,-100       Unsigned

    CNG       Unsigned

    LDDM Graphics Subsystem       Unsigned

    @%SystemRoot%\system32\drivers\fvevol.sys,-100       Unsigned

    @%SystemRoot%\system32\drivers\http.sys,-1       Unsigned

    @%systemroot%\system32\drivers\hwpolicy.sys,-101       Unsigned

    KSecDD       Unsigned

    KSecPkg       Unsigned

    Link-Layer Topology Discovery Mapper I/O Driver       Unsigned

    @%systemroot%\system32\drivers\luafv.sys,-100       Unsigned

    @%SystemRoot%\system32\drivers\mountmgr.sys,-100       Unsigned

    @%SystemRoot%\system32\FirewallAPI.dll,-23092       Unsigned

    @%systemroot%\system32\wkssvc.dll,-1002       Unsigned

    @%systemroot%\system32\wkssvc.dll,-1004       Unsigned

    @%systemroot%\system32\wkssvc.dll,-1006       Unsigned

    msisadrv       Unsigned

    NativeWiFi Filter       Unsigned

    @%SystemRoot%\system32\drivers\ndis.sys,-200       Unsigned

    NDIS Usermode I/O Protocol       Unsigned

    @%SystemRoot%\system32\drivers\netbt.sys,-2       Unsigned

    @%SystemRoot%\system32\drivers\nsiproxy.sys,-2       Unsigned

    Null       Unsigned

    Performance Counters for Windows Driver       Unsigned

    PEAUTH       Unsigned

    @%SystemRoot%\System32\drivers\pacer.sys,-101       Unsigned

    @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100       Unsigned

    @%systemroot%\system32\drivers\RDPENCDD.sys,-101       Unsigned

    @%systemroot%\system32\drivers\RdpRefMp.sys,-101       Unsigned

    Link-Layer Topology Discovery Responder       Unsigned

    Security Driver       Unsigned

    Security Processor Loader Driver       Unsigned

    @%systemroot%\system32\srvsvc.dll,-102       Unsigned

    @%systemroot%\system32\srvsvc.dll,-104       Unsigned

    srvnet       Unsigned

    @%SystemRoot%\system32\vmstorfltres.dll,-1000       Unsigned

    @%SystemRoot%\system32\tcpipcfg.dll,-50003       Unsigned

    TCP/IP Registry Compatibility       Unsigned

    @%SystemRoot%\system32\tcpipcfg.dll,-50004       Unsigned

    VgaSave       Unsigned

    @%SystemRoot%\system32\drivers\volmgrx.sys,-100       Unsigned

    Storage volumes       Unsigned

    Virtual WiFi Filter Driver       Unsigned

    @%systemroot%\system32\rascfg.dll,-32012       Unsigned

    Kernel Mode Driver Frameworks service       Unsigned

    WFP Lightweight Filter       Unsigned

    WIMMount       Unsigned

    User Mode Driver Frameworks Platform Driver       Unsigned

    Microsoft System Management BIOS Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Remote Desktop Device Redirector Bus 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Terminal Server Keyboard Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Terminal Server Mouse Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Plug and Play Software Device Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    UMBus Root Bus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft Virtual Drive Enumerator Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Volume Manager 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Generic volume 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Generic volume 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Generic volume shadow copy 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Microsoft Streaming Service Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Microsoft Streaming Clock Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Microsoft Streaming Tee/Sink-to-Sink Converter 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    Microsoft Streaming Quality Manager Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned

    RAS Async Adapter 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Microsoft Trusted Audio Drivers 6.1.7600.16385 2009-07-13 Microsoft Signed, default

    UMBus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    UMBus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    USB Root Hub 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    USB Composite Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Integrated Webcam 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    USB Mass Storage Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    USB Mass Storage Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    Generic USB Hub 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    TSSTcorp CDDVDW SE-S084C USB Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default

    SanDisk Cruzer USB Device 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Removable Disk 6.1.7600.16385 2006-06-21 Microsoft Signed, default

    Microsoft Virtual WiFi Miniport Adapter 6.1.7600.16385 2006-06-21 Microsoft Unsigned

     

    úterý 6. září 2011 7:26
  • No. I do not connect my computer in anyway to the Network from the Internet cafe. I think I may have finally shed some light on this issue. Every time I got into a Computer Recovery mode I could drop down into that x: drive that has been so mysterious. Recently I noticed a Windows program running called WinPE. I did a little digging today and understand what that software is used for.
    BUT, I believe some people have learned how to take advantage of that software in ways that Microsoft never intended. First off let me say that my new laptop did not come with a OEM Recovery Partition. This was created by some people unbeknownst. Based on what I read today, it all makes perfect sense - WinPE can create a Partitioned Drive and once it is created and the intended software is installed, that drive can never be found - this at least according to a document I read on Microsoft's website today.
    So basically I can never get rid of this malicious WinPE software that is sitting on my hard drive. These people must be ex Microsoft programmers or are just very, very familiar with Microsoft's programming..
    I guess what they do is find a hole in someone's Internet access. Lay down this software via BITS transfer. Then they create all sorts of shares that allow other folks to access the computers that have been exposed. The exposed computers then will become servers in a way. They have been controlling my computer by somehow putting me into their Active Domain cloud. 
    This has actually been going on awhile - over a year. It wasn't until I really started to notice it and fight back that I came to the conclusion this was serious. As I would try to prevent them from gaining access, they would tighten down my capabilities via Group Policy rules. As an example, if I put in a firewall rule to prevent inbound and outbound traffic they would just disable my local firewall via their group policy. I did not even know this existed until I installed Win Ultimate - this was when I started to gain a little bit of an upper hand,
    While I finally just got on-line not more than an hour ago, I can see their work is still playing havoc with my computer. Every time I install the Virus protection protect from AVG, they come in and somehow disable it so it is worthless after about a day or two.
    I still have one big problem and it has been the same problem I have had since day 1 of this excursion for me. I can not stop or disable or do anything with the Group Policy Service. Everything is grayed out. When I go to to command prompt and issue an sc command I get an Access Denied message with this Service. Their are about 5 or 6 services running that I have the same problem with. 
    I do not believe the Memory problem I have has anything to do with Memory leaking into the Video Memory. Take a look at 2 screen shots of my device manager and look at the installed devices. These were not like this before my problem started to occur. I believe these people are trying to use some of my memory to hold code or their own software for lighting fast access, I ran the debug program down at the command prompt and I found much reference to the fact they were using my machine as a testing ground for whatever is up their sleeves. When I first noticed this I could just uninstall the devices or disable them but now every time I do that I either need to re-install my OS again because I get the dreaded blue screen at my next boot or nothing occurs at all and that memory access is not mine anymore. It appears as if they are using 200meg of my RAM for their own purpose. I really think Microsoft should investigate this matter. They flew under my radar for a very long time. Once I discovered it has been an uphill battle to regain control of my Machine. While I have some control at the moment I do not know how long it will last with all that malicious still on my machine. 
    I have mountains and mountains of information with regards to this matter, but I need to get some other work done. I have literally been offline because of this matter for over 4 months now. It has caused me great pain in ways that might be hard for people to understand.
    Take care and thanks for the response. 
    image.png
    image.png

    On Sat, Sep 3, 2011 at 6:14 AM, <forumsup@microsoft.com> wrote:
    úterý 6. září 2011 7:27
  • Wow - I just read your entire thread. It brings back many ugly memories. You are where I was 6 to 8 months ago. My issue started out with ActiveX scripts running every day. They had the www.w3.org reference that you mention. It slowly moved away from Active-X issues to a much worse problem. What really caught my attention about your post was your mention of Media Center being a big part of this entire issue. You are 100% correct in what you say.

    What these people are doing is tracking every thing you do on your computer. They are saving this information in a variety of ways with the use of IE being one of the big ways. But they are also using all sorts of Syslink directories, Shared Drives, and UNC paths to hide the information they are tracking on you. They gather this information on a daily basis and send it up to their cloud via the Media Center Program. Apparently they are using the Transcoding capabilities as it shuts their purpose. I only know this by accident. Once night I saw a Network Share come into my computer. I was able to access that persons Network Share and what I received was this strange file coming into Media Center that was being transcoded. The file was initially very small but what I ended up seeing was every single web page I had visited over the past few days. All in a graphic format. Since I have been back up online just today, I have wiped my computer at least 8 times of all Privacy related files left behind. Each time it is in the 25 - 50 Meg range. It is simply unbelievable. 

    They also were able to gain access to my Blackberry. I did not know that was the problem at the time, but I have all the emails of my complaints to RIM and my Carrier that someone was gaining access to my Device and had the capability to see everything I was doing, but even more scary - they were able to track my every whereabouts. It is scary for me as I live in a foreign country that is not quite as safe as the US. I notice on my Dell they had the capability to turn on my Webcam remotely. They could turn on the Audio and listen to what I say if they wanted to to. They have the Location service running which could be used to track the whereabouts of your computer. I also noticed they had the Microsoft Narrator program running at all times. I could not turn it off. Basically every time I typed a word the program would pronounce it. Now I never heard a thing, but I assume these people found a way or were looking for a way to send this information over the Network. It would be a good way for them to get Password and Bank PIN information that you type in to the computer. Up until today I have pretty much left my NIC card, USB Ports, Camera and Microphone off via the BIOS. But my problem was the Dell Vostro laptop did not come with a CD Drive so every time I needed to install the OS again I had to turn on the USB Ports which allowed these people to gain access to my machine via some sort of Bluetooth and wireless capability. This is the part that really has me the most stumped. Given the short range of BT I do not understand how they were able to do this.  I think what I essentially had was two OS' running.One was mine and one was theirs. They could gain access to my machine anytime they wanted as they set up my computer as a server and they were the owners of that server with their own RAM which they still have along with their own Hard Disk space which they still have. 

    The last thing I want to mention is I also had the same problem with my email where I could tell their was someone else in that email with me. There was a recent time when I discovered the Active Domain connection. I was doing some research on the Internet and came across a paper that gave huge insight into the problem. As I was trying to copy the paper into my email I was blocked by someone who threw up another web page that prevented me from doing what I needed to do. It was all very strange. In fact I complained to Google for a good month as I thought someone had moved me to their Google Apps product and my email was being hosted on a Domain other than Google. It even got so bad that I think these people where able to track me every time I logged into my email account. I later discovered about 50 Add-On Browser files that had been added to IE and every single one said they were Microsoft files but they was also a warning that the Microsoft Signature could not be verified. These were all very old Active-X type files, scripts, capabilities and programs (just as most my drivers currently loaded say they are from Microsoft from the year 2006 (that is ancient history in the computer world.)  I obviously disabled those Add-On's. 

    I never even imagined this was a Microsoft issue up until now. I was blaming Dell and Absolute (makers of the Lo-Jack BIOS security software). When this problem first occurred quite sometime ago I immediately bought a 2-year software maintenance contract from a Microsoft owned company. They were not very helpful. I even brought up this whole Group Policy issue with them numerous times but every time I called I had to spend an hour on the phone explaining everything all over again that it started to become a joke. I gave up on them. My only request of them was to help me disable the Group Policy Service. They said it could not be done in Win 7 Home Premium. Well I have yet to find a way to do it with Win 7 Ultimate.     

    Anyway that is enough for now. I only hope Microsoft steps up here and takes some responsibility here. I think this problem is only going to get much worst. As just like you this stuff seemed to follow me wherever I went and I ended up infecting my fathers machine and a few friends. 

    úterý 6. září 2011 8:47
  • Joesph,

    I need to bring up one last item that I just noticed. This should clearly (at least I hope) make Microsoft want to get involved with this matter. Look at the 2 device drivers called TSSTcorp and SanDisk Cruzer. These people have taken devices from other manufactures (SanDisk and Samsung with the TSSTcorp driver) and put Microsoft's name on them. They have given the device driver's software a date of 6-21-2006 and claimed that Microsoft is the Certification signer (ALL BOGUS). You will also notice some of the Intel stuff states it is Microsoft. Most of the Intel Drivers that have the correct dates and names were just loaded over the last few days on my machine. Given time these drivers will also convert to this 6.1.7600 Software version with the 6-21-2006 date. I believe this is occurring as all the Drivers from these people have been put into one big cabinet file which they unload every time I try to re-install the OS.  

    úterý 6. září 2011 9:31
  • OK, so a couple more things here:

    1.  The WinPE partition at the front of an OEM installation is 100% normal.  OEMs are allowed to configure those types of drives for their WinRE installations how they want to based on how they want to support recovery.

    2.  When you see drivers for devices that are branded as Intel or SanDisk but the signer is Microsoft, that is also fairly normal.  We sign many third party drivers that we have tested with the vendors internally during an OS release.  These are commonly the drivers you'll see on Windows Update.  If you were to install the ISVs driver directly, that should have their signatures if that's what you're after.....again though, this isnt a problem.

    3.  Trusted Installer blocking you from deleting a file is 100% normal and expected behavior.  That service is there to protect the operating system from exactly that type of behavior.

    Lastly, I know this wont be a popular stance but I am yet to see where this is a Microsoft problem.  That's not to say there might not be an OS issue related here somewhere but I still dont have a good understanding of either of the actual problems here and they all seem to be related to your internet connections.  If either of you wanted to test a clean installation that never goes online and describe your symptoms (if they occur) then I would be happy to assist in questions about how or what the OS should be doing vs. what you're seeing it do.  Otherwise, your best bet is to open a support case with our security team.  They have tools that they can run against your machine to tell you if you were a victim of hacking or not.


    --Joseph [MSFT] http://blogs.technet.com/b/joscon/
    úterý 6. září 2011 11:03
  • So Microsoft has released 9 unsigned Drivers in just one single user situation. There must be millions if not billions of these unsigned Drivers sitting on people's computers. Pretty damn careless for a multi billion dollar Corporation don't you think.  

    I am sorry but opening a case with your security team will do no good. I will get the same response from them as I just got from you - didn't you listen to what Missy told you about her interaction with your team? Opening a case with the Justice Department would be much better. The hackers got me again last night. They tore AVG12 apart. They disassabled all the software I downloaded throughout the day yesterday, they took my local admin rights away and made me a user on my own damn machine that I own - all with Microsoft products that you even claim were signed by your Company or in nine cases not signed. 

    I finally said F it and deleled every file on my computer that was not write protected. Of course the WinPe stuff from 2006 will still be their..Here is what I learned today. I need to stop winmgmt by issing a simple command line option. I learned how to disable Group Policy in the Registry setting. I will also be shutting DCOM down which Domain Controllers use to remoteley access and keep updated their Group Policy on the remote machines. Once DCOM is disabled I can disable COM+ Services. All of these above mentioned services were the only ones I had no control over.

    I have been advised to shut down port 135 via a netstat command as this is the port used to remotely access for Group Policy changes. I think there is also a netsh firewall command that can be issued to disable RemoteAdmin capability.

    I hope this clears my problem but since the very first day this occurred that Group Policy running has me pointing a finger at it. Why would a standalone Workstation need to have a Group Policy. I spent 2 freaking months wotking with a Microsoft owned technical support company and only got bewilderment gestures throughout. Almost exactly like your response today.

    I won't be contacting Microsoft with regards to this matter anymore. If I have any contact with them it will be in a different venue. Thanks for your help and support

    úterý 6. září 2011 20:15
  • You're putting words into my mouth.  I said that drivers being signed by Microsoft isnt unusual.  I did not say that Microsoft issues unsigned drivers (we don't).

    The reason I suggest opening an issue with our teams is because what you're communicating here as a hacking issue needs to be investigated.  Hacking isnt really an OS issue per se, but we can help to find out what type of intrusion you've experienced and give you steps to remediate it.  As I have repeatedly said here, if you re-format and reinstall your system and you still have the issue then its something living on your network that is causing the issue.  There are steps you can take to alleviate some of those issues as well.

    I'm not sure who you're working with that is a Microsoft owned technical support company, but if they arent Microsoft Technical Support then they are likely a gold partner, which isnt the same thing.  The reason you're getting bewildered responses from either myself or the other group you're working with is because I still honestly dont know what your problem is and most likely, neither do they.  The issue seems to constantly jump from one thing to another and I am trying to get a handle on why certain things are acting in a specific way.  Again, this is why I have asked about you reformatting and doing a clean installation and the results.

    You can remove the WinPE partition from your installation but I doubt you would be under support via your OEM so I will let them tell you how thats done.  But overall I am just trying to help you out because the issue is obviously frustrating.  If you no longer want assistance, that's your call but I am willing to keep working on ways to determine root cause.  It's just a lot harder to do on a web forum.


    --Joseph [MSFT] http://blogs.technet.com/b/joscon/
    úterý 6. září 2011 20:26
  • Frankly I have not seen this level of "challenge" per say, though I have fixed many compromised systems, and I have not seen anything survive a complete partitioning of the hard drive and reformatting, then freshly load the OS.  This level of compromise of your system is off to say the least.  I would have to ask just what your loading software wise onto the system?  On the surface, A legit Windows install with legit software packages should not be an issue, the only time I see things this bad is when people re-install shareware, or slightly used software off the internet that containts a rootkit and other nasty packages.

    Otherwise, with no internet, no connectivity, no bluetooth, there just is no way to get it onto your system, unless you have others getting access to your system and hitting malware laced websites, or they ninja in at night and upload this physically onto your system while your asleep or at work they are in your kitchen eating your cookies.

    There are Microsoft drivers for known products like Intel, Logitec, etc.. that are valid, just a default driver set for recognized hardware, even MS has a defualt driver for Nvidia for video (thought the full blown nvidia driver is the way to go)

    At this point from what you say, they have your pc, blackberry, wireless mouse, etc... you should be looking for the men in black at this point, or gremlins.  


    :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.
    • Navržen jako odpověď Jason Hiegel úterý 6. září 2011 20:36
    úterý 6. září 2011 20:35
  • Michael!

    I'm so sorry to be just responding to your post. My internet access was "restricted" for

    several days.First, I can not tell you how validating it was for me to read your initial

    post. For almost two months, all I've heard from anyone is "that can't be happening".

    Typically, I am an incredibly easy going, even tempered person. Yet, a couple of times, I

    have been close to Mt St Helen's on an eruption level. The entire situation is completely

    frustrating.. having to deal with the laptops, the tech people.. ugh.

    Anyway, we have much of the same hardware. I have SO many drivers in my device mgr. Whatever

    is going on is completely related to USB ports (that I don't have) and UPnP devices that

    aren't connect. Many of the drivers are listed as "running in a separate memory place".

    In addition to the weird Media Center angle (speaking of which, I've found files indicating

    my xFinity box is somehow related - I did some research and the xFinity controller will

    drive most any wired device), I'm pretty sure the icons play a part. They are all now

    enhanced. Fonts are involved, as well. I know that's a bit vague, but this is way out of my

    realm. Have you noticed lots of bogus file extensions? Looking in the registry of both

    laptops, there were so many. I don't want to take the time to check my notes right now, as

    I'm afraid I'll lose this post. I'm typing it on notepad and will copy and paste it when

    finished.. that way, I can keep saving it as I go along. I've learned my lesson having lost

    a couple of other lengthy missives I've written in regard to this situation.

    Yes! I have the "X: drive" too! It's not obvious in my computer but I see it when I do my

    basically daily reinstalls. I have the handicap programs set up, as well, the magnifying

    glass, and the speech thing. Do you have a folder called Panther? In one of your posts, you

    mentioned Windows Easy File Transfer is involved (DEFINITELY). Today, I was in the control

    panel of the Vista laptop and saw I had offline files (I didn't even know there was such a

    program).. I don't.. but someone does, and to the extent of 35GB. I was able to access the

    files. One was Me (my computer name), one was Network maps, and one was Computers. The

    folders were all empty but empty, they added up to 35GB. Do you have little arrows at the

    top of the menu bar on your file folders? If you click the little arrow, it goes somewhere

    else, possibly to a mirror file. I have a ton of empty folders to which I'm denied access,

    my assumption is they're for transfer purposes only. I do know my HDD on both laptops are

    "online".. they shouldn't be. Also, within "my computer", there's a recycle bin.. not

    strange.. but it's locked (strange) and there's another recycle bin inside it (more stange)

    and finally, my hard drive or a copy of my hard drive is inside it, as well (truly bizarre).

    The way things are set up, I basically am nothing but a port of information. I have access

    to my docs, photos and a few program files. I'm locked out of everything else. I can not do

    a hard reset on my month old router and the password has been changed. So, I'm locked out of

    that, as well. I have never been one to share files, anything but now I am sharing

    everything.. my phones, my laptops, everything. Changes were made to my Verizon account last

    week.. I didn't make them. I have apps on my phones I didn't put there. Just like the

    router, they will not reset to factory default settings. Just like the router, they start

    the reset process but don't go through the final power down to complete the process. Before

    I forget, the Windows Sync and Sidebar programs are heavily involved in the conjoining.. I

    refuse to call this a network. They are my computers and I didn't set this fiasco up. I also

    saw a file inicating that IAS was instrumental in the inital point of entry. I'm not sure

    what that is and haven't had time to check it out, yet.

    Michael, you mentioned the personal effect this situation has caused. I truly understand!

    For years, I've made a good living selling on ebay. For the past 2 months I've been afraid

    to open my PP account. You mentioned the video cam.. I have that, too. I also have micro

    phones in my sound devices I didn't install. Finally, in the device mgr, there are drivers

    for a PS2 mouse (neither of my laptops supports that interface), a PS2 keyboard and a PS2

    monitor. It is gravely startling.

    Back to the reinstalls, immediately thereafter, all of the group policy files completely in

    place and off limits to me. Plus, the DVD drive makes lots of funny noises during the entire

    process. I am pretty sure whatever installation is going on, is being driven by the "big

    boss" computer. I know this sounds nuts but I've seen files indicating my MBR is in the DVD

    drive. Hey, do you have an icon for a jump drive- drive E:- that you don't really have? It

    drives me nuts. All of this drives me nuts.

    Have you looked in any of the DCOM files? In the reg keys, there's something called the

    threading model, threading something. Anyway, the value is "the apartment".. No lie. Oh and

    yes, my software and documents have been subverted. I made a note of the files in my AVG

    andn then downloaded it at my sister's just to check the file content. It was not the same.

    I have so much more to tell you but this is so disjointed already, I think I'll save it for

    later.. This is a really weird thing to say.. but thank you, Michael! Thank you for your

    post.. thank you for knowing what I'm talking about.. just THANK YOU!

    Missy

    PS- one more thing.. have you noticed the default IE home page after one of your reinstalls? Is it http://go.microsoft.com/fwlink/?LinkId=68748? Having recently had a total of 4 Dell factory refurbished HDD with a factory image of the OS, I noticed the default home page on each was Dell.com. So, I called Dell and asked if that was always the default IE homepage on one of their branded Windows OS disks.. Yes, it is.



    neděle 11. září 2011 1:40
  • Jason/ Joseph-

    Thanks to both of your for weighing in. I'd like to clarify my position, I don't really care about assigning blame. I don't see this as a Microsoft problem. I see this as  Missy problem.. a BIG problem for Missy, and it seems Michael, as well. I just want some help. I don't care where it comes from. I think I can speak for Michael, as well.

    I would gladly open another case with Microsoft if I thought the responding tech would actually listen to me, consider what I have to say, the depth of the information I have. Yet, as my "scans" will come up clean.. they won't. My experience has been they will not listen and they will speak derisively. I am so not up for having to defend myself.. and so totally over having to repeat the same thing over and over to 37 people and then be told a clean install or a new HD will solve the problem. Back to scans, I'm pretty sure my WU update files are subverted. I also know they bring in other programs as they're installed. My laptop that runs Win7 showed it was installing update  number something of update 51,937. Give me a break. Tonight, I downloaded an ATI video driver from Dell.com and Microsoft Visual Basic C++ 2005 came with it. Whatever is going on in my laptops, whomever is driving it, they aren't even discreet anymore. During the installation of the ATI software, I actually had the option of installing the ATI software and/ or the M VB C. There were selection boxes next to both. I couldn't actually make a choice. The choice had been made already and made permanently. The boxes were no longer active. They were checked with unremovable check marks.

    Finally, I forgot to mention this to Michael.. whatever this is, I'm pretty sure it's current model is the DENALI project server on Microsoft's website. I know nothing about it, had never heard of it before. However, today I saw several pages in my IE history.. no one uses my laptops but me. I'm wondering if the "Panther" file I have, which is relatively recent, is a take off on Denali. Really, I haven't been online much this week. So, little of the IE history was mine. My comcast modem and Belkin router both showed tons of activity all week long, especially late at night. I couldn't get online. Alternately, my Network Controller would be disabled (not the reenable kind of disabled but the FY kind of disabled) or the Network Troubleshooter would show no problems but an error msg saying either "restricted" or "access denied".. How much would that just piss you off? There are days when I feel like running my car over both laptops.

    Anyway, if you have any suggestions as to a specific department at Microsoft, even better, a specific person, I could call, I would be grateful. Isn't this situation what all those updates are coded for? Someone there has to realize this does happen. Yet, the thought of spending hours on hold to reach someone who can't even fathom something like this, who patronizes me and speaks to me like I'm either crazed or a moron, it's just not worth it. OR- if you could give me some guidance as to how far I need to go to completely clear this.. and I'm not talking about fixing my laptops. I'm talking about new laptops with Linux or a Macbook, new router, new phones.. Seriously, not being able to feel comfortable working on these laptops, not to mention not being able to count on reliable use is killing me financially. I need to fix this, fix it completely and fix it fast. I don't really have the money to spend right now, but I can't not spend it. If that's what needs to happen, if that's the route I need to take, I just want to be certain I do it completely. I don't want to not replace something that needs replacing, then find I'm in the same place, with the same problem and even less money. Then I would be epicly pissed.

    Thanks!
    Missy
    neděle 11. září 2011 2:29
  • Missy,

    After being controlled by this monster for sooooo long I think I have finally started to be an end to it. This is all related to the Microsoft Group Policy, Active Directory, DCOM and COM+. I started by turning off Group Policy and DCOM in the registry. I immediately saw a big difference. All the processing running by other people stopped. But this concerned me as I thought maybe some of those processes may be needed by the OS. So I made a big mistake and turned DCOM back on.

    This led me to another 5 days of frustration and another 10 new installs of the OS. This occurred because the hacker put in some type of program that crashed the OS if I turned Group Policy off. So at the moment I just have DCOM and COM+ turned off. At the moment the hacker can not control my Laptop, but he/she/them are still turning to gain access as I see them turning to enter when I monitor the Network. Within minutes of download a new firewall program they disassembled it. 

    So while I am no longer under "The Man's" control, my computer is still infected with a lot of garbage. I also have the Group Policy running. I know how to turn it off, but now I am concerned about turning it off as I can not afford to have my laptop crash again. I also have all of the DCOM programs on my laptop. If somehow this person were able to gain access to my machine and them turn on DCOM, I would be right back were I started at.

    Virtually everything that you see occurring on your machine is or was on my machine also including the reference "The Apartment". It is funny in that I thought this to be funny and a little strange myself. I found that about 2 or 3 weeks ago.  I had some log files that I saved and had hoped to present to Microsoft's upper management, but these people somehow wiped them off my hard drive. I don't know if they had set up a program to wipe their steps if the computer got out of their control or if they sent the computer instruction to do this. These log files contained information about my OS installs. There was also one large log file about all OS installs these people have done and there were thousands of records. It appeared as if this install may have been sent to Microsoft. I think these people may be some type of re-seller or authorized distributor for Microsoft. I do not know how Microsoft's dealer channel works so I will not comment on this too much, but it does appear as if Microsoft is also being duped which all along I had suspected, but when I brought it to Microsoft's attention awhile back I got "I doubt it" comment.

    I am a little concerned about giving you the exact instructions to turn off DCOM and COM as I don't want to be responsible should it not work or should you have some other problem. I will tell you it was done via Component Services under Administrative Tools. You need to go in as the Author. You need to change your capability to Author Mode once you get in. You need to open Component Services, open computer. You should have a "My Computer" icon. This is the magic. You need to right click "My Computer" go to properties and open. You should get a window with 6 tabs. This is very important. If you did any of the previous steps incorrectly you will only get 2 tabs this stumped me for a week or so) . You need the six tab window. Go to the default Properties tab and take the check-mark out of DCOM and COM. It is my understanding DCOM is designed to be run in a Wide Area Network environment which one would find with Group Policy enabled. I don't know so much about COM services but I wasn't taking any chances so I just turned it off. Once I did this "The Man" who controlled my machine was gone. Once I did this I immediately started to get many requests for remote assistance. I also started to get a few pop up windows (and continue to get them) stating that a particular program is not compatible with my OS and the recycle bin is corrupted. I started to get the recycle bin pop up a few weeks back. I am now afraid to click it to fix it. I am concerned it is malicious and may send a Remote Access approval back to "The Man".

    I feel as though I have gone to hell and back with this issue. Everyone thought I was crazy. I would bring my computer to repair shops and they would just say Microsoft always has these things running. I started to think I was going crazy myself myself. I have just validated they were all wrong and I was 100% accurate that my computer had been hijacked. This issue has cost me a lot of money, lost income and so much time and frustration that I can't even put words to it. I called Microsoft's special computer problem number after I resolved this issue. I told them what had occurred. They directed me to a website which is goes to Microsoft's Ethic's department. I will certainly let them know about this as I believe Microsoft needs to inform me as to how I get my computer OS back to how it was before these events occurred.

    My problem with Microsoft is I have a contract with them to provide Software virus assistance. I ask them in March to help me turn off Group Policy. They said it could not be done via Win 7 Home Premium.  Looking back I wonder how it could be turned on if it couldn't be turned off. I am know using Win 7 Ultimate and I still have no way to turn it off without going into the registry which is not something I am willing to do after what I have just been through. Two good things came out of this but it still was not worth what I went through. One was these hackers increased the speed of my internet connection by 400%. The other was I got a free copy of Win 7 ultimate. It was a bootlegged copy to begin with but since my legit copy of Home Premium was not offering any solutions I decided to give Ultimate a try. Every time I put a new copy of the OS on my computer I would receive a new registration code within 24 hours. It is my believe this new code came from the hackers as their is no other way I could have gotten it. 

    One last thing - be very wary of Windows Updates. I believe Windows Updates played a very important part in this mess. It is my understanding Active Directory customers can use Windows Update to send their computers they have under a Group Policy to a different website than the one the general public would be sent to. Obviously this is very concerning.  At the moment my Windows Update is in some type of error status. I had suspected all along I was not receiving the correct updates for Windows. When I installed SP1 from it a disk I got many error messages later would get my computer back online.

    I want to somehow stay in touch with you to make sure your issue gets resolved and as confirmation this was a real BIG problem and I was not going crazy . I will check back in a few days. Good luck!! 

     

     

    pondělí 12. září 2011 1:54
  • Michael and Missy.  I am a member of your club.  It happened to me also...going on 3 years, multiple phones, computers, hard drives, modems etc.  I think I am on the brink of losing the whacko.  My questions to both of you are...did youngrow up in Loudoun County and attend high school  in the 70's and or do you or have you lived in Oregon, Washington or the San Fran area?  If you answer yes, would you please join me in prosecuting "her"?  Thanks for your reply.  Cat 
    neděle 10. června 2012 2:35
  • Isn't it nice to know we are not going crazy or we have imagined all this craziness?  I finally got to the point I no longer cared what people thought and accepted this is how it is going to be.  Computer professionals (being nice) today are absolutely mind blowing.  95% of them should be ashamed of either themselves or 2 out of 3 of their fellow wackjob geeks they work with for charging people $100 to come in their home and run a scan they got for free off the internet.  If the scan doesn't find the problem there is no problem they say.  LOL  While dealing with the same infection as all of you have listed on here, one can't help but gain knowledge about computers.  I certainly know I have.  In fact, so much knowledge a smart computer pro will say, "you know more about this than I do, I'm sorry this is way above my head".  Or you get Mr.Cheez who walks in your home collecting $120 an hour with his little zip drive that he has downloaded Norton scanner with a side of Malwarebytes on it.  Then I have to say "Bud, had I known this is what you were doing, I would have told you to stay home and lets not waste our time". 

     

     AVG has been the worst!  We bought the $200 tech package from Avg where they can remote into the infected comp and repair it.  Well first they need to understand it is not normal to have 850 desktop.ini files on the computer with half of them dated the current day.  Even though I don't own a piece of Brother equipment it is nortmal to have 3 of them in my device manager they say.  Oh, if I could have come threw the phone I would have given him a V8!  The ones that accuse me of being crazy I tell them I will give them $100 to bring their comp to my home and I guarantee within 3 hours it will be infected.  I'm still crazy and no one has taken me up on my offer....scratching head. AVG refused to refund us our $200 being as though they have time invested in fixing nothing!  As we all know this thing can change a boot.  While booting to the Avg cd, I felt that I was being Hijacked and the boot was changed.  I asked the AVG tech to read to me the correct boot.  He said he couldn't do that.  I told him to get an avg cd and hit tab at the boot screen and it would list out the boot.  He doesn't have an AVG Cd in the AVG computer repair department!  I had to laugh and tell him...now thats crazy! 

     

    We have been infected since Feb 2012.  The infection has taken on many different personalities over the year.  Recently I have concentrated on Winsxs and the different versions of files.  I believe I should be version 6.1.7600.16514 yet am running 6.1.7600.16385.  I am win 7 home premium.  I have had some success with pulling the usb keyboard,  mouse and anything else usb while loading anything.  Usb's are being manipulated in some way.   The x: drive is also an issue.  Possibly one of the many OS I have on the machine. 

     

    Really, I am way past trying to figure this crap out.  We too have lost cell phones.  Sprint is the carrier we had and they too were proud and boasted about how their equipment couldn't become infected.  Fighting was becoming old and convincing people was no longer important so we went to a home phone which is now infected along with our tv's that use AT&T cable, phone and internet.  At&t said their equipment couldn't get infected.  We started seeing files from the comp on the tv's and vice versa.  So while checking into AT&t's equipment we find out the DVR's have hard drives in them with a CE OS.  See what I mean about people and their ignorance (being nice again)?  HELLO!   Hell......Helllo......hard drive!  Say it slow Mr. At&t internet tech hhaarrrddd   drrriiveee.  Wow!  Another crackerjack box license this man has acquired.  If I was in the computer world operating as a professional today, I would be embarrassed for most of these morons.  And Microsoft...don't get me started.  I can't believe Bill Gates has the nerve to come out with new OS and charge money for them with the trash he has left people with.  Xp had a flaw in it that Microsoft wrote a patch for and guess what?  Win 7 had the same flaw!  Wow, now that is attention to detail.  How about Kb976902 the blackhole that automatically loads on my system and suppose to not be able to delete it.  Again, Microsoft good job!  This RPC, file sharing shit is comparable to Bill Gates with diarrhea.  I would rather get an add on for those features than built right in to my system and have to have them.  Ever heard of none of your business and you can't come in?  Not Mr. Gates! 

     

    This whole deal is exhausting.  I got a computer to have fun on, research, pay bills and make life simplier.  This is far from any of that.  Microsoft obviously don't care.  Anyone been on Windows 8?  Oh boy!  Lil more junk to line Bill's pockets.  Nice job rearranging and hiding icons Billy Boy...He is boring and uncreative.  Someone needs to pay for this mess!  I am noticing Win 7 home premium 64bit is a common OS being attacked and we also had XP affected too.  This deal has not been cheap.  We have had over 12 new computers in this house all to be infected within hours.  Software, hardware, cell phones,  computer repair, computer rip off and just plain aggravation.  I will never donate  to Gates and company again.  They need a wakeup call!  In my book they are thieves.  I am finally finding people with my same problem which is a breath of fresh air.  I would not wish this on anyone except for every computer dumbass that has called me crazy oh and Microsoft.  I have considered hiring me a hacker to tackle this deal that way.  If we blow up both sides of the systems, so be it!  Just blow it up.  I am just shy of moving  and starting all over again.  I have considered the what if I could get clean and realized I have numerous people around me with the same ISP and they probably have no idea they are infected.  My Grandmother for example who is a  play games computer user would never know.  I am convinced there are more illiterate computer users that literate.  Which does not help us in this situation.  As far as anti-virus or protection.....Nahhh the more who become infected is the more chance we have of getting help with this issue.    I hate to sound so callused, but it's true.  Not that I could get any protection to work anyway.  I believe part of that is because I really am not infected so much as there are multiple OS im dealing with.  Vista, PE, Nt and a lil of this and a lil of that.  Someone mention Trusted Installer and Mr Microsoft Jason I believe jumped right in saying how these things are normal.  Well the dumbass don't work normal on mine Jason!  Matter of fact I delete him and have no problems!  I don't like his permissions and that he locks so much of the system down!  Have to ask Trusted for permission..oh no I don't.  Lil bit of TakeOwn and Trusted is gone.  By the way, a helpful little tool Takeown.zip. Can't open a file...right click takeownership and do what you please. 

     

    So if anyone has any ideas on the legality side of this let me know.  I know you can go to the FBI website and file a complaint which we have done.  If anything it may protect you if your IP address shows malicious activity and you have to prove it was not you.  We called the police and they told us we had to be missing a large amount of money or some sort of child pornography was going on.  Well the hacker smacker has not made me privy to such info.  Just for fun I would create screen names that were colorful and not so nice for example: HackerLikesLilKids and the computer was shutdown within 20 minutes requiring a reinstall.  As if my screen name was: SusyQ I could go weeks as long as I didn't buck the system.  I guess somebody got their feelings hurt and bots don't have personalities.  We can evoke anger with a little message in notepad left on the desktop or how about a scrolling screen saver telling HackTheSmack just how neat they are!    Heck we have to laugh sometimes threw this.  Especially when our boot or chkdsk disappears or some other stupid trick he pulls to shut down the computer because he is not getting his way.  All of the delayed loads or APPCrash so he can get his stuff ready first and then I can have mine.  I'm always thinking, "this is my computer and I am borrowing it"!  Now that is crazy! 

     

     I am sorry for all of you who have been dealing with this.  I completely understand the frustration and helplessness.  I just can't swallow that this in not a crime or at least a faulty product Microsoft is putting out there.  I kept my systems up to date and don't feel responsible as a user for this type of malfunction.  This situation is way bigger than me and more along the lines of the programmers who write and create vulnerabilities.

     

    středa 9. ledna 2013 14:14
  • I am now and have been since Dec 2 12, had an almost Identical sitch. I picked up a new modem fro ISP, Old reliable died! They had no security set up and claim not one user manual! Well I have been fighting this virus for four weeks about 12 hrs per day. Not winning. They also use my net more often and as easy as I do! Usoft is NOT HELPING!! NOR IS ISP! ISP say's we have over a thousand customers, you have the only issue. After calling Msoft and getting cut off after holding 5-9 minutes per try, I finally had a supervisor & an sec. Engineer for about two hours they were blown away at the quality of the rootkit, told me to buy WIn8 and they would call back!

     Sent win 8 on a paper card!!!!! and now that no one ever called me I call and they want $100 to try to help! so I'm out $200 with no warranty at all! After 20 years loyalty I'm learning Linux or buying a MAC. ALL wired NO WIRELESS!!! Thanks for nothing guy's!

    a team of very good hackers from Russsia, put an Apple overlay on my NTFS HDD, it had 3 hidden partitions, a total of 82 APPS and files! total control of a windows machine in less than one hour! Most diskware does not even detect virus, a disk from cgsecurity.org finally let me see what was beating me so bad! but disk was designed to recover lost data, It has no Delete! plus they have several pro grade backup progs. and took over main TPM just as a start! If they catch me, they just LOCK me out !!! I work hours off line, then When I need reference or a tool, I go online for minutes, and they put me worse than each prior attack!! My $1000 gateway that I have loved for 3 years, is now junk!! I read the logs, WIndows has NO security! even sec. essent. reports back what they tell it to! the rewrote the registry 80-90% , and have approx. 12 logons to my router any time it is on.  If it was not so uncool to others, I bet that if purposely spred, this virus would put Msoft  under in less than 2 yrs! They cannot repair it! You have to clean HDD, ROM RAM vol shadows bios all at once then stay off line! or get new machine and stay offline! I can't even find a tool that see's the hidden extended part.s let alone clean them tiried every cleaner out there! no help! machine starts to get taken in 1-2 hours, you look at windows explorer and would not recognize it, also whole pages of registry, and they have top security, so no deleting when you do find a delete able. Msoft engineer say's it is not considered possible to hack a TPM1.2 chip! EASY for the russkies team! good luck!    psylosyfer@hotmail.com  if you find anything!!! PLEASE!!!

    čtvrtek 10. ledna 2013 15:48
  • Sorry to hear of your plight, at this point it may be wise to seek out a IT guru local to you, take him your laptop and a new un opened USB hard disk.  As him to recover your documents and files, and tell him your infected or exploited with malware so he can take action to pro-activly scan your system prior to saving your files.

    At that point I would format the system completely with a fresh install, turn up MS security essentials, enable the firewall, and start an active backup process once your done rebuilding your laptop.

    Something does sound off with your system.

    On the bright side, your not in a completley unrecoverable situation since you still maintain access to your system.


    :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

    TRIED way more than that no help! you are lucky to even see it! on HDD in whatever filtype on hidden partitions! I tried industrialerasers, then making all kinds of sizes of formats with different file types and cluster sizes, made ata least ten different size partitions, then made sensible partitions for win7 pro reformatted NTFS, That is when I tried win 8 pro, Starts acting odd and lockink out controls, at least as fast as win7 pro, I think faster! B4 I went back on line! Msoft Sold me that win 8 would do a complete hd clean & format! maybe it is in ddram and rom and cmos, maybe writes to all your closed CD"S tools are on! doesn't seem possible but they had all their scrpts and dlls back that day, mostly use sys32 utils that are part of windows, just better at it than Msoft is! They do what they want while you look at a false screen and wonder if your loosing it! then you find proof here and there! but no cure!
    čtvrtek 10. ledna 2013 16:02
  • Oh and by the way - this is not malware or a virus. This is old Microsoft device software that has been loaded onto my machine. Virus and malware scans turn up nothing. It looks like legit software as it is. It is just old and highly vunerable to security issues. I have Microsoft device software from 1996 on my laptop. This seems a bit old to me but maybe I am wrong. It is this combination of old technolgy and new technology that is so problamatic. They have complete control over my system and know one knows how to find it and rid my machine of it.

    I had a top notch machine, even at3 yrs it still had better specs than most new ones, running win7 pro, with minor glitches if anything,

     Then My ISP sent me home with a router/modem, that had no security enabled at all except AES key and password. that same day, my system was ruined, if Iget a new one, the url won't change so it would be futile! I will buy a new HDD and become a Ubuntu expert then only go on line with an actual wire cable! no other safe way. IF youlooked at the logs generated, these people are not even having to think, they are having fun covering all their tracks, in a few years they will probably just sale the best OS ever made! they run windows better than microsft!!! far more clever how they do what it takes, fake bitmaps to show you while NOTHING is a part of what buttons your pushing! You Keep getting greyed out then controls are gone then one day you piss them off and you are totally locked out! two hours to set up and begin to install drivers etc.? In moments, they are doing things that take me days!!! IF you ever actually see it, it say's 1CD Russian finance enterprise 8. Then two pages of apps and files things like Bacula, and CADtwoCAD/PRO, dejaVU, etc. please mail me if a cure found psylosyfer@hotmail.com P.S. win 8 is weird!! wonder how much is the virus?

    čtvrtek 10. ledna 2013 16:18
  • You Sir are right, A cable is the way, but a properly setup wireless worked for years as it does with most folks. However, I do not go back on line, after spending hours cleaning out what I can Find, They do HIDE something somewhere! I noticed some chunks of DDRAM claimed to be "system reserved"? Any truth to that? And remember they took minutes to control the TPM on my motherboard, Here Engineers say it cannot be done! What Say?

    psylosyfer@hotmail.com

    čtvrtek 10. ledna 2013 20:22
  • call Msoft Security desk 866-727-2338, They can do anything remote that the keybrd or mouse will do! They wan't $100 to get serious about the repair though!

    Using some tools and utilities from a Geek Squad CD, and a partition magic CD, I found as you a 100mb X: drive on my 320Gb HDD.

    the language was Linux, but also some bits of VBscript, Java,XML, Xhtml etc. seemed like the only txt files that were easy to read, (no encryption) were XML, very close to HTML, if you know HTML you can figure out what the XML was set up to do. Even if you cannot write it yourself. Msoft did not do me any good. But cgsecurity.org has a forum of clever guy's and you can try the builders. I have talked to WDC, Intel, Phoenix, and Gateway. NO cure, but I am learning a lot and have all up to date drivers on a DVD. Seagate has a disk setup program that the webshot looked like it would do anything you could think of. It was free, but 1st splash screen said, "you must have at least 1 Seagate detected to run this software. Well I don't! But, WDC used to have DataLifeguard, one version let you burn a floppy (remember those?), It did a low-level format. Which is what I need and sounds like you as well. They no longer offer that. But they do have a nice Acronis disk manager for free! I just downloaded it and will give it a try in a few, hope it works as good as the old floppy did! That Floppy made your HD 1 partition full of zero's to the capacity written on the box.Never seen it not work! but then I have never seen Avast's free anti-virus "pre-boot scan," fail to pick up a virus until now, it stayed at 54% for hours so I gave up.

    Good Luck, let me know if you find a cure! sounds like what I got. my email is psylosyfer@hotmail.com

    čtvrtek 10. ledna 2013 20:42
  • Hey Vince-

    I have the same problem but on 2 Dell laptops. It's also affecting every cell phone in my house now. As I type this, I have been closed out repeatedly.  A clean install won't do it. I've had 4 new hard drives (2 per laptop), a new memory,  battery and motherboard in one of them.. and countless clean installls.

    The first thing I did was call Microsoft PC safety and was pretty much ridiculed when I said a clean install did not fix the problem. They are all about the "scan results". Well Vince, I've looked at every file on both laptops - through the registry keys. All of the files of my laptops are locked. - And here's the deal, the hard drives (each with a segment missing - the 500G like Michael's is 465.8 G) my laptops are "virtual" and the MBR is in the DVD drive on one and in a phantom USB drive- drive E:-  no drive installed on either laptop but the icon is on both- I can even remove it with safely remove hardware - but it's there after each reboot.

    I know I am on a server, the registry proves it. I think I may be on more than one. I have active services for both Server and Workshop, as well as about 6 Remote services, several DCOM services, the Group Policy service - and I am a totally lackey in that organization. My function is to pay the internet bill, several P2P services, and a bunch of Windows Media services- extenders, networks, blah blah blah.

    I also have the same legacy hardware installed in my device manager but nowhere on my coiputer.. and it causes a boat load of crashes. Oh, and yes, the memory is totally involved but I haven't figured out how it plays in from what I've been told about how the memory functions.

    Oh, I finally figured out why the scans come out clean.. there are a ton of snap ins in the MMC..  "they" pull them in and out. In AVG, I can not scan my network files  - the ones I'm not even supposed to have.

    So Vince, I've spent about 500.00 in the past 6 wks and gotten nowhere.. that does not include the cost of the hardware.. both laptops are still warrantied. If you've got any better ideas than PC safety or a local shop, please get in touch.. I have a lot of other particulars which might be helpful.

    However, I am basically typing this with the page and cursor jumping all around. It sucks.. it absolutely sucks.

     

    I feel for you bro my 320gb hd has only come back to 298gb no matter what I try! Msoft engineer took pity when I refused to pay $100, 2 day's after they took me for a win 8 key on a paper card! how do do repairs with a paper card? Then online while they used Remote desktop to download win 8 pro, They seemed to have forgotten me saying "I do not believe it will work on my virus," They were just positive thatthe disk clean/partition tool in win8 would be the answer! SO, I paid, in case! When it did not work, after a two hr conf.call with a help supervisor and a Security Engineer (College grad), They promised to get back to me the next day, never happened. So on my 3rd case #, Again they wan't $100, I said Ok refund the bad key on papaer I waited a week for and use that for the money! I did not get any straight answerafter that, But the engineer emailed me a bunch of white papers, pdf's and a few tools that he claimed he would use. For rootkits (so far) must run 2 McAfee progs. DEEP SAFE  & Deep Defender.  He snuck me an email of each with alot of official info. Came here first but if it works I'll let everyone know! Even the group of Russians that are makeing money by stealing my computer, I was told that they get MANY sytems and bot them to pay -per click websites! 24/7, that would be a sweet income! But I am an old disabled poor dude that relies on my PC to do my billpaying and banking, so I HAVE to cure it! I do not know why some ram is "system reserved," not near either edge though. I will clear that, Flash BIOS then put in a new HDD, use a lan cable, only and buy my own seperate modem\router, setup as secure as a bank's. If the VIrus is STILL there. Iwill enjoy using an axe on my PC then pick up a piece of screen and slit my t....roubles away!!!!!!!!!!!!! That is an ending of my patience type joke!!

    Bu I have been trying to cure this for 4 weeks, bought win8 for no good reason! And all my bills are now late! SO what else could I say? My wife thinks I disappeared. I have been in this room so long, buried in notes, disks, empty ballpoints, and Gatorade bottles& a few beer bottles thrown in for good room design!  Good Luck! my email is all over this page, So if you find a cure please tell me, I'll do the same of course! I think if this gets widespread, and no cure, that will be the end for Msoft!   Ray P.

    čtvrtek 10. ledna 2013 21:12
  • I do NOT connect until the Virus is already restarting itself! When I am sure the same thing is for real happening, I go ahead and use the web for info and tools/drivers. then start over. New passwords as well sometimes I wait until DHCP changes URL then change modem pass as well, my key and the modem setup password! ThatIs why the "system reserved DDRAM is starting to look like B.S. to me! Gotta be somewhere right?

    čtvrtek 10. ledna 2013 21:17
  • Sound like similar problem, the logs are proof that we are really being hacked, not just getting a bit weird with the PC, I have Tablets of handwritten notes as the virus tells the printer it is out of black ink! Has a new cartridge! Prints fine on self tests! but no black ink from PC, I found the ink level =0x000 in the registry and changed it to a 0x001, but before I could try it, I had lost ALL priveliges and could not access anything to print. SO another NO_NET INSTALL, so I have A PC for a few minutes again. Getting really old!

    Please let us know if you find the cure!    P.S. go to cmd console and read your event logs, or run a search for*.txt,*.log,*.doc,*.pdf.

    you'll find proof your not insane, good luck trying to print it though!

    čtvrtek 10. ledna 2013 21:27
  • I know these things by simply reading the logs my system generates when operating, they were even using my printspooler as a password free port! And "TrustedInstaller," is always the guy with full privileges, but he is not in any of your security groups is he? He is not in any of my Groups,Users,or Principals. the 3 my machine lists for security purposes! Also TrustedInstaller comes back as 0 found when I try TechNet online help to see if it is real or a hacker, at this point, I think Hacker pseudonym, He does not appear in the find now security program that names all your authorized accounts! And that is a long list of names and things. But no TrutedInstaller?

    my email is psylosyfer@hotmail.com, let me know if you find him legit? Please! Thank You!

    čtvrtek 10. ledna 2013 21:39
  • Yet Again very similar troubles, what I found on a hidden disk overlay was "1CD Russian Finance Enterprise 8" After that, there are 82 hidden apps and files that we cannot see control or delete, They are not NTFS, The Disk Overlay is an Apple product, the most prevalent language is LINUX, but they use many others as well! I have 3 hidden extended partitions, Only some obscure small security tools can even see. I cannot lose these partitions even when I make them visible in Linux. There are lots of things in sys32 that are not stock!

    I began to compare DLL's and small windows utilities, I find many have the wrong but same date, about 4 years before I was infected,I notice in some of the logs they mention marking a false date stamp as "true", At first I could delete files, but they would rewrite automatically faster than it took me to get "Take Ownership" Now I cannot change any part of what they do, In Windows Explorer or regedit. I am always redirected to fake websites where they want $59.95 for thing that I know are free! They grey out then remove any control that could lead to exposing or stopping them, They are booting from the Big partition from \windows\boot, not in the Boot  X: drive, that I was always told was needed at 80 hex in the CMOS or some such! They steal any video music or pix you may have ,move dirs. around, put a file away later it is gone or elsewhere, ALL file have a -xxxxx digit following them. never before. I have a HAL in SYS32also a lot of their stuff is in ALL CAPS! I was doing ok in safe mode, no network, elevated privelidges, by erasing any file that was at all suspicious, I could run SFC.exe later to fix any that I should have kept! But now I am not allowed to delete period! Once I was "locked out" of my PC !!!!!!  I have VBScript, never bought it never installed it. There are way too many schemas in XML, drive X:\ has a sxs Dir. on it that had 3 files now at least 100. they are totally write protected, and rewrite IF you get lucky and wipe one!  Registry is not anything near normal!! not even worded as always before! i.e. Default key values were always Default "empty". now they have Default "then a string or dword etc. 

    please email if you get any good news! psylosyfer@hotmail.com I'm Ray.

    čtvrtek 10. ledna 2013 22:23
  • I bet your printer is disabled as well Last night I was loading a 22mb driver, after it loaded almost instant a poor quality pop-up windows box said 322mb to go will be 7 mins x secs. It was how the software stalled fortime to write a reg key and install it so my printer again will not work. again the reg. sends a message to the printer that it is out of black ink,, Has a full cartridge, and self tests OK.  Everything is slow and jerky like a system from 1988 doing too much! My PC NEVR used to lie to me, now that's about all it does!

    The Matrix beta testing? What is real? not on a display for sure! look close at websites, the art is below par the "VeriSign box is gone, the certs look real fake! I have to run a movie on Netflix thru my ROKU ALWAYS TO KNOW IF MY ROUTER IS STILL how I left it! It is not as if they do no already have all my info passwords to credit card #'s, and letters from bank security wanting to know why I changed my password hint online in Europe! USBank & Citi Bank has huge security depts. they both had a letter here under 48hrs of noticing my PC was not itself. As for security I have the super TPM 1.2 chip. That any expert will tell you "CANNOT" be hacked at a distance, requires physical intervention! The Russians have had it off for about 4 weeks now! so THEY have more authority than Microsoft or the FBI or Intel etc. a cure would be awesome! My ISP say's it can't be the new modem they sent me home with when ny old one just died. Never any trouble, homenetwork, Grandson trying ALL pornsites! no problems! New modem/router, no security setup at all except my key, Totally visible to the entire world, old one I was not visible from out of the house! They say, everyone would be having your problems, Most users would not know a problem! Not that familiar with the machine. My wife had me ALMOST thinking I was Mad! ThenI found Proof, Now she does  not want to hear one more word!

    čtvrtek 10. ledna 2013 22:52
  • No. I do not connect my computer in anyway to the Network from the Internet cafe. I think I may have finally shed some light on this issue. Every time I got into a Computer Recovery mode I could drop down into that x: drive that has been so mysterious. Recently I noticed a Windows program running called WinPE. I did a little digging today and understand what that software is used for.
    BUT, I believe some people have learned how to take advantage of that software in ways that Microsoft never intended. First off let me say that my new laptop did not come with a OEM Recovery Partition. This was created by some people unbeknownst. Based on what I read today, it all makes perfect sense - WinPE can create a Partitioned Drive and once it is created and the intended software is installed, that drive can never be found - this at least according to a document I read on Microsoft's website today.
    So basically I can never get rid of this malicious WinPE software that is sitting on my hard drive. These people must be ex Microsoft programmers or are just very, very familiar with Microsoft's programming..
    I guess what they do is find a hole in someone's Internet access. Lay down this software via BITS transfer. Then they create all sorts of shares that allow other folks to access the computers that have been exposed. The exposed computers then will become servers in a way. They have been controlling my computer by somehow putting me into their Active Domain cloud. 
    This has actually been going on awhile - over a year. It wasn't until I really started to notice it and fight back that I came to the conclusion this was serious. As I would try to prevent them from gaining access, they would tighten down my capabilities via Group Policy rules. As an example, if I put in a firewall rule to prevent inbound and outbound traffic they would just disable my local firewall via their group policy. I did not even know this existed until I installed Win Ultimate - this was when I started to gain a little bit of an upper hand,
    While I finally just got on-line not more than an hour ago, I can see their work is still playing havoc with my computer. Every time I install the Virus protection protect from AVG, they come in and somehow disable it so it is worthless after about a day or two.
    I still have one big problem and it has been the same problem I have had since day 1 of this excursion for me. I can not stop or disable or do anything with the Group Policy Service. Everything is grayed out. When I go to to command prompt and issue an sc command I get an Access Denied message with this Service. Their are about 5 or 6 services running that I have the same problem with. 
    I do not believe the Memory problem I have has anything to do with Memory leaking into the Video Memory. Take a look at 2 screen shots of my device manager and look at the installed devices. These were not like this before my problem started to occur. I believe these people are trying to use some of my memory to hold code or their own software for lighting fast access, I ran the debug program down at the command prompt and I found much reference to the fact they were using my machine as a testing ground for whatever is up their sleeves. When I first noticed this I could just uninstall the devices or disable them but now every time I do that I either need to re-install my OS again because I get the dreaded blue screen at my next boot or nothing occurs at all and that memory access is not mine anymore. It appears as if they are using 200meg of my RAM for their own purpose. I really think Microsoft should investigate this matter. They flew under my radar for a very long time. Once I discovered it has been an uphill battle to regain control of my Machine. While I have some control at the moment I do not know how long it will last with all that malicious still on my machine. 
    I have mountains and mountains of information with regards to this matter, but I need to get some other work done. I have literally been offline because of this matter for over 4 months now. It has caused me great pain in ways that might be hard for people to understand.
    Take care and thanks for the response. 
    image.png
    image.png

    On Sat, Sep 3, 2011 at 6:14 AM, <forumsup@microsoft.com> wrote:

    Yes they also disable and delete all your restore points, virus progs pick it up but are told to report "o" so you see"0" threats if it pickedup123000, They Often size app so it is harder to move or use two at once, did you get constant upgrades? some of the KB #'s are not on record at Msoft!---If you are online ---rebooting or just having uptime running high, PC gets worse, your DATA deletes, eventually any user will notice a problem! They probably have PHD's and used to build ICBM guidance or some such! Now Msoft should hire them! they use sys32 internals far better than Msoft does!
    čtvrtek 10. ledna 2013 23:02
  • No. I do not connect my computer in anyway to the Network from the Internet cafe. I think I may have finally shed some light on this issue. Every time I got into a Computer Recovery mode I could drop down into that x: drive that has been so mysterious. Recently I noticed a Windows program running called WinPE. I did a little digging today and understand what that software is used for.

    BUT, I believe some people have learned how to take advantage of that software in ways that Microsoft never intended. First off let me say that my new laptop did not come with a OEM Recovery Partition. This was created by some people unbeknownst. Based on what I read today, it all makes perfect sense - WinPE can create a Partitioned Drive and once it is created and the intended software is installed, that drive can never be found - this at least according to a document I read on Microsoft's website today.
    So basically I can never get rid of this malicious WinPE software that is sitting on my hard drive. These people must be ex Microsoft programmers or are just very, very familiar with Microsoft's programming..
    I guess what they do is find a hole in someone's Internet access. Lay down this software via BITS transfer. Then they create all sorts of shares that allow other folks to access the computers that have been exposed. The exposed computers then will become servers in a way. They have been controlling my computer by somehow putting me into their Active Domain cloud. 
    This has actually been going on awhile - over a year. It wasn't until I really started to notice it and fight back that I came to the conclusion this was serious. As I would try to prevent them from gaining access, they would tighten down my capabilities via Group Policy rules. As an example, if I put in a firewall rule to prevent inbound and outbound traffic they would just disable my local firewall via their group policy. I did not even know this existed until I installed Win Ultimate - this was when I started to gain a little bit of an upper hand,
    While I finally just got on-line not more than an hour ago, I can see their work is still playing havoc with my computer. Every time I install the Virus protection protect from AVG, they come in and somehow disable it so it is worthless after about a day or two.
    I still have one big problem and it has been the same problem I have had since day 1 of this excursion for me. I can not stop or disable or do anything with the Group Policy Service. Everything is grayed out. When I go to to command prompt and issue an sc command I get an Access Denied message with this Service. Their are about 5 or 6 services running that I have the same problem with. 
    I do not believe the Memory problem I have has anything to do with Memory leaking into the Video Memory. Take a look at 2 screen shots of my device manager and look at the installed devices. These were not like this before my problem started to occur. I believe these people are trying to use some of my memory to hold code or their own software for lighting fast access, I ran the debug program down at the command prompt and I found much reference to the fact they were using my machine as a testing ground for whatever is up their sleeves. When I first noticed this I could just uninstall the devices or disable them but now every time I do that I either need to re-install my OS again because I get the dreaded blue screen at my next boot or nothing occurs at all and that memory access is not mine anymore. It appears as if they are using 200meg of my RAM for their own purpose. I really think Microsoft should investigate this matter. They flew under my radar for a very long time. Once I discovered it has been an uphill battle to regain control of my Machine. While I have some control at the moment I do not know how long it will last with all that malicious still on my machine. 
    I have mountains and mountains of information with regards to this matter, but I need to get some other work done. I have literally been offline because of this matter for over 4 months now. It has caused me great pain in ways that might be hard for people to understand.
    Take care and thanks for the response. 
    image.png
    image.png

    On Sat, Sep 3, 2011 at 6:14 AM, <forumsup@microsoft.com> wrote:


    Yes they also disable and delete all your restore points, virus progs pick it up but are told to report "o" so you see"0" threats if it pickedup123000, They Often size app so it is harder to move or use two at once, did you get constant upgrades? some of the KB #'s are not on record at Msoft!---If you are online ---rebooting or just having uptime running high, PC gets worse, your DATA deletes, eventually any user will notice a problem! They probably have PHD's and used to build ICBM guidance or some such! Now Msoft should hire them! they use sys32 internals far better than Msoft does!

    Boot from a simple DOS disk, Then you will have a couple hours offline in safe mode to have control again! notice a confi.sys&autoexec.bat? windows gave that up when gas was 75 cents a gal. try to bypass in run config sys, safe boot! or get system tools that are bootable. PartedGTK your PC doesn't even know it's on, the whloe thing runs in linux from your ram! has alot of tools!It comes on the "Ultimate boot Disk" made by nice hackers! who want to help!
    čtvrtek 10. ledna 2013 23:09
  • If print is not an option I have been able to save files to a flash drive and then print from another computer, like the library. 
    neděle 13. ledna 2013 20:49
  • Like I said...I delete him.  No he is not legit.  He runs in task manager, I open his file from there and takeown, delete.

    neděle 13. ledna 2013 20:51
  • Wow only 4 weeks.  I don't know.  I think back almost a year ago about the infection and it is completley different today.  When it first started I recall alot of over clocking going on, disabling protection software and disabling keyboards, mice, etc. setting up performance monitors to find out what my comp is capable of.  I'm sure more was going on that we weren't aware of.  Today, it cheats to allow the infection to catch up or repair itself.  At this moment it is entering through the PCI and believe it has been since the beginning.  I know at first the infection was just about all linux.  We have seen Vista, NT, CE, XP and others that aren't coming to mind.   If you are knowledgable with linux (I am not, fumbled threw) you might try midnight commander (on avg or kapersky rescue cd) or ubuntu.  I never could master permissions to delete core files (firmware).  Interesting try booting to a cd like this and pull your harddrive when you do.  I did and could still see a full functioning operating system with no hard drive plugged in.  Try manipulating the startup for instance connect/disconnect hard drive, wiped drive / os on the drive, etc. using these different combinations.  In the beginning about a month into it, by doing this a partition was revealled.  I was running XP on this particular system but I had wiped the drive and went to install windows when I found this partition I then deleted it and felt that I had finally deleted something that belonged to the infection.  About 3 months ago by using ubuntu the infections system was damaged.  A USB was connected to my system that was not mine and I figured it took all of about 7min for the infection to repair itself and was full force. On another laptop one evening the infection lost control of its system and all of the sudden I had about 50 windows open and hardware began installing itself that didn't belong to me.  This was about 6 months into it.  I tried to copying anything to a usb and it was a fight.  As I tried to copy and paste I was slowly losing control of my mouse and keyboard.  Avg midnignt commander is a file sharing program also.  Some how the infection uses this type of linux program to connect into our computers even without internet.  I don't fully understand it.  I just can't belive no one else in the computer field can figure this thing out. 

    Are you marking show hidden devices in device manager?  I used to have a couple chipsets listed.  Now I have none.  I did just find a "Reflector Display Driver" used to gain access to graphics data and uses service RDPREFMP while looking for the chipset.  I have to laugh!  Cause if I was to ask someone about it they would say, "Oh yeah, that is normal".  So at this point it is using our video, audio drivers and windows media player w/ media externders is it's deal.  RPC is the main one.    I don't install any drivers at all today, because they will be perverted by the infection and used to it's advantage.  I have a Microsoft Shared Fax Driver and Microsoft XPS Document Writer connected, that is not mine.  The device manager is changing all the time.  There are always new things and things disappear.

    As far as tools go.  We went  to the library and downloaded all we could to a usb.  They worked for a minute and only once.  The one's I recently had the most luck with is RegRun and Rootkit UNHOOKER.  The UNHOOKER was awesome as far as the time it hung in there and the knowledge it gave in it's report.  RegRun  is in debth and allot to it.  I have been told by a computer guy (1 in the last year that was amazing) that if we can find who or what this thing is federal charges would be charged.  I was thinking more along the lines of a one year, in the middle of no where vacation with all the bugs and contaminated water he, she, it could consume.

    One other thing, do you find it subverts the CD Rom?  Ours it does.  This is why a reinstall never works.  May help to unplug it or leave it open when using the comp along with any usb ports not being used.  Our thinking was eliminate anything not needed by us.  Along with the ram drive.  We have usef old dell repair disks to access the ramdrive.  You will see it there too.  It has just been trial and error with mostly error...lol.  You have put in allot of hours yourself.  Are you getting a feel for when the infection is just a bot and when it is a person (shell of a human being) controlling your comp?  We see the difference.  Tell that to someone who isn't familiar with this and we become aliens from the twilight zone....lol.  Keep your eyes open in Midnight commander or ubuntu.  I found messages left by yours truley telling me how stupid I was not figuring this thing out yet.  It talked about my weak Internet connection and my spelling.  That was a deal!  I invited him to dinner and never got a commitment from him.  I'm sure it or he or she knows where I live being as though the gps, maps, bluetooth or any other locating aps on our cell phones were being turned on as quick as we turned them off

    I am in Kansas  City, Mo.  Is anyone else close to this location?  I just can't believe there is not more infected.  Just here recently we have found a few similar situations.  A year ago there was nothing that sounded close except form rootkits but never anything on the hacker side of it.  There is one other thread on this site and it talks about the x: drive being the focus of the infection.  I will look for the thread and post it.  As far as MSOft and what they say....I don't buy most of it.  They are looking out for themselves and thats it. 

    neděle 13. ledna 2013 22:16
  • Sorry that I cannot be of more help! But I do have the symptoms that are being described in all these letters.

     Since Dec.3 2012, I have been at war with these guy's, They call it "Windows subversion" My group are called SFnetOps, from Source forge''s darkside. I believe they all got together at Source Forge and behind the backs of honest coders, they formed a cabal of "Subversionists". They somehow prevent a "complete" clean install, and they have their own boot system that bypasses the TPM then asks for the RSA key, they do leave alot of logs, mainly encrypted, but if you scroll through them you will find some parts that are readable. They have managed to fill my 1.75 TB's to 93 % in no time at all and have had 90 some odd connections at once! they can stop the firewall, and they can replace windows updates with malware! They aLSO HAVE alot OF CONTROL OVER Adobe downloads! NO anti -Virus picks up any problem. They do use old rewritten Msoft tools to do what they do but they cantrol all this from a hidden partition that is all in UNIX, I was infiltratrated by what appears to be a bogus Windows update. I have an "Autoexec.bat" which is a "dummy file to skip "NTVDM" !

    So, update KB976932\SAND /logpath:install package_ETW.log/add-package/package path :D:\BVTBin\Tests\installpackage\Package win7sp\KB976932\windows6.1-KB976932-X86.CAB..\SAND\4F265200-04B3-92FD-06391E55BAD5-CDISMManager::Load Image session' At this point,your screwed! they will nto go away! and I cannot getthem out with or without help! When I search the registry for BVTBIN i get 304 returns, I have three desktops that I have cleaned by hand down to one file that did not belong, But could NOT delete it! tryed shredding, delete during boot, compressing, using black hole. all no good! then on ALL the desktops they killed the video. So they are now impossible to work on.  They can't or won't kill the video on laptops, I have a Dell Latitude 610, 3 gb ddram 320Gb HDD running XPPro, it is very resistant to this attack and will actually run for 1-2 months before it simply loses to many functions to be useful, My newer Gateway, ML6732, is a wonderfull PC, it as served me extremely well and has excellent performance. SO I knew the moment it failed to operate correctly, I have piles 2 feet high of hand written notes, Some of which I no longer remember whre I got the info or even why? They disable disk burning, printing, and copy to USB, AS the kernel control is absolute, they can switch yes & cancel buttons! whole websites are counterfeit! After a while they have the system so fouled up it will no longer boot, WDC has already replaced a new 750 GB HDD twice!    

    BIOS Function: INT 0x15, EAX = 0xE820    this is from an article I read on devnet.org, But, I cannot seem to run it! is there a trick to accessing the BIOS this way?

    The Acronis system report shows that even after a flash from gateway, BIOS address e820 has a block of data "blocked" and it will not erase or rewrite. This may be why I cannot rid myself of this nonsense.

    I would appreciate any help!

    Ray P.

    P.S. If you Google "Windows Subversion" you get a ton of HOW TO, but nada on how to STOP!

    středa 7. srpna 2013 17:52
  • I would DEFINATELY check the unsigned drivers, some of them look alarmingly familiar! As I think I have the same problem or variation of.   Also DAO360.dll s/b replaced if present!

    Ray P.

    středa 7. srpna 2013 20:20
  • Yes ! One of the logs I read said "our man at Microsoft", So they Do seem to have an inside man. A low level format should clean your entire HDD and all partitions, I would use the factory download if possible WDC no longer offers wddiag disks, ver11.2 is the newest you can get. They Acronis program, which is great but, I need to run the old dlgdiag after the Acronis or I CANNOT boot!

    Ray P.

    P.S. All of you should run a *.log search from the root of C: and scroll down the logs, you can pick up ALOT about what they are doing and how. It leads me to the registry keys that have been altered.

    středa 7. srpna 2013 20:26
  • This is all true, One night they accessed my Gateway Wi-Fi from my Roku netflix player! and they have accessed my motorola phone! They do have bogus certificates that look real but if you look close, you'll find they cannot be verified!

    Also in MMC with the TPM snap -in, There are two buttons on the right side, they B.S. you if you attempt to start the TPM, but when you refresh you get a 3/4 second look at the REAL controls under the bogus window!

    Also the login page is fully up and running behind "safe mode" Oh Yeah, ALL the CHM and help files are fake!

    Ray P.

    středa 7. srpna 2013 20:32
  • Joseph,

     The issue is the ease of Vista ,7,8. of being turned into terminals, Anyone with a server can get free downloads to run a win PC! Google" Windows Subversion" you will see what I mean. Windows problem or not, I've seen ALOT of infected systems, And I predict if their is not a terminal/private PC switch of some sort,

    People, by the millions will buy nothing from Microsoft, Ignore this and I bet two years you'll be bankrupt!

    Good luck to us all!

      Ray P.

    středa 7. srpna 2013 20:40
  • We need to look at address E820 in the BIOS, this is where they are hiding during a "low level format" and reinstalling all their B.S. on my Gateway ML6732, I just don't yet have the skills to rewrite this"reserved" memory area. Even a BIOS flash from gateway does NOT remove it! I have been trying since last December to remove the groups (SFnetOps) malware, So Far I only get limited success. Thier rea lly should be an absolute terminal or private PC control! I cannot update or print or burn or even transfer files, unless "they" allow it!

    Also, there are many items that even after taking full control of, I still get an access denied, when trying to change them.All of you should check your task schedulars, I think you'll find MANY unpleasant tasks! Also they use a program called "Watchdog" to alert the server operator when you attempt a change that they do not want.

    Is there a way to put the registry back to "OEM"? Also is their a list of the correct Dll's that should be in SYS32?

    All of you should note that there are several hidden partitions on your drive which explains why my 750GB drive shows 698GB AFTER formatting!

    Hope this helps! Ray P.

    pátek 9. srpna 2013 7:26
  • I have to agree, I also have the X: drive  a D: that I cannot access but should be my Optical drive. They (SFnetOps) my tormentors, are using the same system of control that you are describing. ALOT of my registry has data on the default line which in my experience has always stayed (value not set), then any additons are below that line, but I have the "Apartment" threading model everywhere in my registry. These guy's (their web page claims 1136 members), many are master programmers, and they have put countless hours into this project. As I mentioned before, I read a reference to "our man at Microsoft" Run a *.log search and look at all the XML files they have ran! Chock full of niceties such as "DESTROY_PRIVATE_DATA" they access the hidden drives using a C:\:://./D: command, but it will not work for me even when I copy the command exactly as in a log. Beware they compile a list of things to change and or delete during a re-boot! So find that list in the log file(sorry but I don't know off hand which logfile, I'll attempt to post it when I find it in my 2foot high pile of notes, And stop it before you reboot if you have the knowledge to do so, The Recycle bin thing is being used as a buffer of sorts, they stash files in their version (the one with the bin in the bin), then restore it to where ever they want,  They disable system restore points, run a search for BVTbin in the regedit "findlose it and hit F3 for the next, I happen to have 304 in my registry. After a clean installl, take ownership of C:, turn off indexing,and get permissions for all the top level registry keys,. This actually slows the "takeover" by quite a bit!  Ray P.
    • Navržen jako odpověď robin1230 neděle 6. října 2013 21:16
    pátek 9. srpna 2013 9:13
  • So what's their  point?? If they know we know they are there then what's their point.  A bunch of loser Russians sitting around using old windows apps making life hard on everyone.
    • Navržen jako odpověď misha1230 sobota 12. října 2013 18:13
    neděle 6. října 2013 21:18
  • I have contacted the FBI and Apple has my iphone now examining it.  Large amounts of money was stolen from me.  The FBI gave me a brand new computer to use and right before their eyes, using my AT&T stick to access the internet, the new computer became infected.  At some point Microsoft has to acknowledge and address the use of their software and fake certificiates in this scam.  The people infecting and taking over our computers are not hackers they are common thieves and criminals.  This is a world wide scam.  If you go on ebay you can purchase a disk that is suppose  to recover passwords but can actually open any file on your pc.  You can easily see there are so many apps on your pc and so many backdoors, and so  much running using Windows Media, Windows defender, Windows Silverlight that any suggestions on this forum to fix this problem is useless.  I have had 6 computers ruined.  They monitor everything you do to find any and all information about you to eventually steal from you.
    sobota 12. října 2013 18:27
  • Did you ever open an issue with us on this?  Seems like our security team would be very interested in whats happening on your system(s).

    --Joseph [MSFT] http://blogs.technet.com/b/joscon/

    sobota 12. října 2013 19:15
  • I tried and tried to get help from Microsoft but was ignored for the most part.  I will be glad to send Microsoft one of my infected computers.  Just let me know who to send it to.
    pondělí 14. října 2013 15:41
  • Send me an email with your email address and the country you reside in and I'll hook you up with a support case so you can work with someone.
    pondělí 14. října 2013 15:59
  • i don't have your email but you have mine.  please email me with instructions but keep in mind everything on  my pc is monitored by the hijackers.  I will be glad to provide one of my infected pc's.  There are microsoft employees involved in this
    úterý 22. října 2013 21:32
  • I don't have your email address actually.  If you can tell me who at Microsoft is working on this already, I'll reach out to them internally.

    --Joseph [MSFT] http://blogs.technet.com/b/joscon/

    úterý 22. října 2013 21:40
  • Hey I got the exact same problem.....Floppy disk, hidden USB, CDROM that is remote controlled (which is why you can not get rid of this ......), ramdisk that is why scanners don't detect it, Printer with fax hooked up, a keyboard, and mouse etc etc etc! Somehow they keep finding me....my hard wired router has a password from Comcast and junk now! I could go on and on...Forget a boot disk cause he has own the cdrom drive.....controllers on the usb and all kinds of worldcraft games BS on the machine. No matter where you are .....where cell service wont reach ....they still on your machine netstat -a -b etc ...and oh cell phones whether I-phones ....there trashed also (done trashed so many I lost count. Mostly all the files are unsigned but to find them you gotta kill abunch of stuff using taskkill blah blah.....wouldn't doubt if this is there fake web sites I get redirected to with there script running. You think you got'em the machine will BSOD and dump right back to normal it's some crazy stuff! IF anybody found a fix give me a reply.....but they got me so paranoid I'm already thinking I;m writing the Botnet that uses my email (zipfldr.dll) flyout lol.
     Another thing VeriSign, ....all the certs. are fake , dns servers outta korea....wow its crazy!
     They are signing in as a service on the machine......I've pretty much become a hacker playing hide and seek with these people!....
    • Upravený bbff pátek 4. července 2014 21:52
    pátek 4. července 2014 21:25
  • may i pls have yourassistance in this as well.  thank you. mine seems to be a little more damaging if all went wrong. pls the emails i have sent have not been answered. . will be happy to except a collect call. you seem to be the one who can help and im tired.  very tired as im at wits end. thid has effected my health.  thank you very much   dave i despretly need a number to call, a direct email to someone. i doubt i will even be able to return to this forum. pld contact me 864-710-0358. it prob wont be included and i doubt they can do more damage by just posting my number. they allready have access to it anyways. pls someone that is familiar with this call me anytime 224-7
    • Upravený dave21122112 pondělí 8. června 2015 23:40
    • Navržen jako odpověď rukiddnme pondělí 21. září 2015 5:47
    pondělí 8. června 2015 23:28
  • As strange as all of this sounds, I must tell you that it is all true. I am surprised noone has offered a solution or even an idea of how this has been accomplished. It is easy to sit back and say a format/reinstall of the operating system will take care of this, but that is absolutely untrue. This is the most persistent exploit I have ever been witness too. I am not going to go into all the details of what it causes and how it affects your machine, because everything you need to know is written above for you to read already, and has been there for years. I personally contracted this issue while playing a game online. I am not saying that was the vector for sure, but that is when I noticed that it had taken over my system. I noticed that I started to receive the dreaded "buffer overflow detected in net message" issue and then my computer suddenly rebooted. Not once, but three times total within 15 minutes. I think that is the moment when the firmware of several devices was reflashed. I think this "whatever it is" lives as a persistent infection in the USB root hub of the motherboard, as well as the bios, and possibly the processor. I had just purchased and installed a new Intel Core I7 a week earlier and it chewed it up and spit it out, TPM and all. I also noticed an immediate reduction in my available RAM of 1 MB where it seems a squashfs file system resides. This is in the BIOS screen upon boot and it is always there since the infection. I fear it has even written a copy of itself to my Nvidia GPU. There is indeed an emulated CD-rom that is of course Read-Only that takes over the boot process and keeps this thing persistent as well. I believe it has many layers of persistence, not just one. Therefore to remove it, you would have to flash the firmware of multiple devices at once to rid yourself of it. If you miss even one, it will reinfect. I don't know if it has been mentioned that Windows updates plays a part in this as well, but it does. What I thought was Windows updates were actually Windows updates plus some malicious hitchhikers as well. There are fake certificates that allow these updates to install. I was running Eset at the time and before it died and went silent it was crying out that there was an Arp-poisoning attack going on. It told me there was a "covert channel exploit" detected. Then it went silent as the infection hid itself better. You guys and gals here at Microsoft HAVE to know what this is. It encrypts files and places them in small packets and then lines them up to send out to who knows where. I have seen these files myself, but like was witnessed above, the more you resist, the stronger the infection gets. I used Avira to show me where the encrypted files were at, but of course I couldn't look at their contents. I was initially infected in October 2012 and it almost drove me crazy trying to get rid of it. I failed of course and my $1800 gaming rig still sits with its powered down illness on it. I am at a loss as how to remove it. I would welcome some ideas, but I see the attention this has received here means I am going to be disappointed. This infection is platform/OS independant. It appears to infect any operating system it comes in contact with. Even Linux as it seems this is a kernel level bootkit/rootkit that comes from a malicious initrd.img. The kernel is a 2.6.34 version and you cannot update the kernel. It is write protected. I am telling you all of this to maybe cause a light to come on so you can tell us how to beat it once and for all. It seems there are some really smart and resourceful programmers out there that has OS builders by the gonads. It has bluetooth capability and I have heard it try to dial-out using my dial-up modem, even though I haven't used that thing in years. It has cellular capability and can phone home wirelessly if it needs to. I believe it is retasking USB devices on the fly to become what it needs at that moment. I pulled the bluetooth adapters and wireless cards to prevent/confirm some of this, but not before it infected every device in my house. Three cell phones, four laptops, three desktops, and even an Ipod. This thing is relentless. The strangest thing to me is how it appears to boot a virtual OS that it allows you to use, but keeps all the real power to itself. The closest thing that has come about since 2012 that might match it would be BadBIOS. I read about that and many things about it seemed to fit the things I was seeing, but now you don't hear anything about BadBIOS anymore. The man that discovered it was called all kinds of crazy, so I guess he gave up. An infection like this can drive you batty, but that doesn't mean it isn't a real thing. It is real and it is sitting in my computer room waiting for me. I disassembled my computers like you would rogue robots. I sure miss those guys, but they can't be trusted. Hell, I don't know if THIS device is compromised or not, but I needed to have my say. TL;DR You guys aren't crazy! This thing is real! Someone needs to be our hero and help us get rid of it! Any takers??? To whomever wrote the code for this "thing", I must say, "Well Done, but please remove it now. I am sufficiently impressed".
    pátek 16. října 2015 12:55
  • I have these same crappy issues discussed here and l have tried to no avail to get my computer back. Like these other people, I have invested hour after hour, month after month and I've had the same, exact experiences. "They" own my computer and allow me to use it at times. I've had marathon sessions of trying to regain control, but I have lost each and every battle. I see the same files, same processes running, see the same software programs I didn't download (and on and on......in fact, I didn't see one bit of information that I have not experienced) and I too can look at logs to verify what is occurring (just like the others here), but NOTHING works. NOTHING! If nothing else; I feel the pain and frustration and want you to know you aren't alone. Surely there has to be someone or some group that would welcome this challenge.
    • Navržen jako odpověď Friday23Null pondělí 16. listopadu 2015 5:28
    sobota 24. října 2015 7:22
  • Hello and thank you for some response in this matter. I have seen all of the problems listed in almost every reply under MichaelMEM's original thread. I have given up on most of it back in 2013. My system currently seems to work fine as long as I do not attempt to stop or fix what it it does. I have had soo many different os install on the machine in question, which is currently offline. In the beginning I thought I must be crazy. It was mind blowing what they could do to my system remotely (right before my eyes). I don't even have a quarter of the tech knowledge displayed by most of the people on this thread, yet I must say -I see the very same thing at hand on my machine. I'm not going to reiterate all of what everyone has stated in this thread as I find it redundant. The Only relief I have found from actively being hacked is to leave it be and hope it does not bother me any further. I don't use the machine for any legal purposes and never make any online purchases or fill it with my personal information. I am currently running an  W8.1 Enterprise Evaluation disk in the machine. This is the only system that seems to help my machine. I assume because it is part of an actively monitored network owned and regulated by MS, though I'm not sure. My recurring problem stands; In my system's BIOS the service tag was changed to a 'name' I am not able to express with my keyboard. It looks like the right side of half of a giant capital H followed by an 'E' and then a 'P' lastly with a " ' " (quote) sign. The system in question is an oem version from dell. I cannot completely wipe the disk without deleting programs that I like and paid for when I bought the system. I Have recently bought an W8.1 Full Install disk and while I want to wipe my drive and mount it with this new system, I am concerned it will not help my system as the bios is displaying the wrong service tag.  If you can help me or if the team at TechNet wants in on this system I would be glad to comply with requests. I am at a loss for words at this point other than to say I AM SOO RELIEVED to hear that I'm not 'just crazy because that can't happen' as so many people have told me.
      

    • Upravený tallyMEbanana sobota 5. prosince 2015 18:49
    • Navržen jako odpověď timetravler867 pondělí 27. června 2016 6:08
    • Zrušeno navržení jako odpověď timetravler867 pondělí 27. června 2016 6:08
    sobota 5. prosince 2015 18:43
  • This is how  to get rid of hacker problem, but you must be willing to spend some time and money.

    1.  Report  it to the police.  You can report property damaged because it was.  You have to have a police report

    before the FBI will see you.  2. Call the FBI and make an appointment.  Be ready to t urn over all your devices to them.  This includes Iphone, Ipad or whatever has wifi in your home connected.  The hackers use layer link tech. to search your devices and infect them.  Anything with wifi get rid of.   3.  cancel your internet provider or wifi service, change your phone number, changed your email and do not reference this information anywhere in your old accounts.  You can't take or transfer anything whether it be contacts or email.  Get a new internet service, wired only, no wifi anywhere in your home.  Change cell phones provider and get new phones.  If you have Dish or any entertainment package that connects to the intenet, cancel it and get new provider.   Before you bring any new computer or ipad or cell phone into your home,  make sure there are no old devices and no wifi. Microsoft will not help because it is a connection problem even though they are using Microsoft software to hack.  Once a system has been infected it is useless.

    • Navržen jako odpověď timetravler867 úterý 28. června 2016 5:56
    pondělí 27. června 2016 6:26
  • I forgot to mention in the above post, you must also close all of your internet accounts like PayPal, eBay, Amazon, on Your old system. The FBI may connect a small device on the outside of your laptop and tell you to keep using it In your normal way. if they do you just keep using it and wait until they tell you to stop before you get new equipment. You will have to open new accounts on your new laptop and do not reference old acct # anywhere. It's a hassle but it's the only way To keep your new devices from being "discovered". And set up with the same old crappy 98 Windows programs. What Microsoft could do is have software that could detect or not block all of the old windows files. The hackers Are exploiting Microsoft by issuing fake certificates and using the old application for illegal activity. It is illegal, to take someone's Personal property and destroy it, to invade someone's privacy, to steal internet time and access from your account, to redirect internet users To a 3rd party, it's all illegal. It's just that the hackers think they are so cleaver that no one will notice they are using your system, and They are certain Microsoft will not step into help, in fact they are certain you will have no help. They transfer back and forth from Country to country ( like China and Russia) and know they will never be caught. So as the consumer you've lost your right to enjoy Using a personal computer. You can't keep files or photos or personal information. You can't shop or bank or do any of the neat things like a normal person. You've been chosen to have your life ruined. The FBI may not do any good finding these guys but they can put protection on you and your internet.
    úterý 28. června 2016 6:23
  • For the past year, I have encountered the same issues; I notified all the Internet Providers, but kept telling me to 'change my password"; SERIOUSLY???? When the program being used on your computer has been taken over, you cannot access any of your old files or apps. This has been very frustrating - they rooted my Android smartphone and it is locked - money lost. I was told by several computer specialist that they are running these "illegal" programs under a different browser? So, it cannot be detected by scanning your computer; or detected by most technical support agents. I did my own investigating and found that all information was being routed to their program; and it shows that I am "restricted" from making any changes to their system; as well as other devices added; or access any of my old accounts. My phone calls (new land line installed) are still being "blocked" when I try to speak to an agent or an attorney; also, two days ago an agent went into my hard drive attempting to remove this program, but they were just changing it back. He thought it was me....but, I informed Him I wasn't touching my pc. and we were disconnected. If you go under properties on any of the files, apps, etc., in your hard drive and check the certification status, security, pathways, issuer, etc., you can find out a lot of information that will be helpful to a "task force" agent; if you can get in touch with someone. I am documenting everything; and pray someone hears my 'CRY FOR HELP". My deceased brother's wrongful death lawsuit was changed over into my name since I was his caretaker and durable power of attorney a year ago when all this began. I have no idea what they are doing or if my life is in danger. All I know to do is notify the FBI asking them to investigate. My eyes have definitely been opened to the undercover "criminal" activity that is taking place on innocent user accounts; and there is a "loop hole" in the system as far as getting any legal action taken. Also, there are so many apps and "illegal" websites that you can pay to set up and run these organizations. It is unbelievable the changes they can make once they have taken control of your computer.  I am praying that this information gets into the hands of our state Congressmen and Senators; making them aware in order to make laws against this type of criminal activity. I know what you are going through, and the only thing that has kept me sane is knowing my God sees all and is in control; and in due season, He will expose them .
    čtvrtek 27. dubna 2017 2:24
  • I spent a lot of money having my hard drive removed and a new Windows hard drive installed. I lost my Android Smartphone (where they began and then synced with my email and other social media accounts); after gaining access to my pc hard drive, my cell phone was rooted and "intentionally" given a Koler Trojan virus. I lost a new, very expensive smartphone, which had all my contacts on it; and was told that there was a virus in my pc hard drive as well. Four days after it was installed, and still at the shop, they began Modifying program files (my cell phone was taken apart and sent back for a refund). My internet service had been disconnected and the equipment picked up because they were running on a "metered" connection, using my wi fi connection, and despite  my demanding my account be closed, they kept it active; allowing data charges to escalate. I received "no" help from them, despite the fact these criminals were "illegally" using "their" equipment....isn't that fraud and punishable by law? It was three weeks before I picked up my pc; and I was so traumatized that I didn't turn it on right away. When I did, I made it plain that I did not intend on downloading any apps until I knew I was safe, especially social media apps. The agent assured me I was safe. In two days, they had already downloaded the Windows 11 package; reset my hard drive; thereby taking control of my pc AGAIN!!! I had been given a ticket # when I logged off five months prior; and issued another ticket # when I contacting Microsoft. Does anyone know HOW they were able to gain access into my new hard drive. I had a land line installed, but no emails set up. I have been getting calls that say on my ID: verify, security, unavailable, and they are blocking "any" calls to my internet provider, government agencies, and attorneys. If I do get in touch with someone and begin telling my situation, we get disconnected. It is going on 6 months since I have been able to contact anyone (all my contact #s were on my cell phone) or use MY PC - my fb friends have no idea where I am or what happened. I am disabled and used my pc to pay all my bills and shops; and communicate with family and friends. I don't know how much more I can take!!! Thank You and God Bless!!!
    čtvrtek 27. dubna 2017 3:08
  • CAN ANYONE HELP I have never felt so helpless my children are scared my wife me everything is gone a xmas gifts are hacked and the saddest part is there's no one that even believes me.not a single computer was infected till windows said I had pirated soft wear which I didn't I just could not get my original key from where ever in my ex,s addict it may have been and bam next day it started and it seems only people that can even find  this post are the infected. I saved for years for my dream computer spent so much and now gone never enjoyed it once who is to say we where infected at one point in time are keys stolen and this is our punishment from the companies  we supported have turned there backs on us thinking we stole froom them who knows I just don't anymore my dad is a programmer and believes this is a windows issue and gave me a told ya so cause at least Linux would listen but anyway just another person with no wear to turn and running out of money to try amfd save a 5 year savings gone by way of door stop well maybe through the door of a large cooperation for allowing the exploits to be covered up and hidden from the public till the had a fix really that's the answer wow didn't realize Microsoft was the cia really who else in a public traded company is aloud to deceive there investors and customersa like. I know if I would do something like that to one of my customers I would go to jail no joke but guess they are a bove it all please anyone got a fix please post it it almost seems they figure it out and then they cant find this post no more 
    čtvrtek 21. prosince 2017 2:51
  • No offense but I am going through something similar right now and I just got off with Microsoft and they sent me a reply saying that they employ different people from different places and that it is covered in one of their consent forms. To be honest it probably is covered, up until you inform the people of your intent to speak to an actual salaried member of Microsoft support and then it becomes less covered and more of a future headache for Microsoft. I actually have a person sneaking things in and out of my files. 

    https://1drv.ms/u/s!AgtKkCXwyk9UpWNSSaY2r6DKoEvP

    A little bit of a mess I captured, one of many I have documented. 

    sobota 3. února 2018 18:40
  • I have almost all the hacker issues I see scanning these inputs.  I too am hacked offline and I have NO ISP.  I have taken computers to every pro within 100 miles.  None helped me at all.  They tried to tell me, also, that I couldn't be hacked offline.  I cannot even activate a cell phone or use one, I am so totally hacked.  Have been without use of internet or ability to work with docs for years.
    středa 2. října 2019 20:07