1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

NOt asking how to hack...asking if I AM hacked

Discussion in 'Windows XP' started by AboutToGiveUp, Apr 26, 2010.

Thread Status:
Not open for further replies.
  1. AboutToGiveUp

    AboutToGiveUp Thread Starter

    Joined:
    Apr 25, 2010
    Messages:
    1
    This will be a long post and I apologize ...but I think it is one that may be of interest to security minded folks.

    This has been going on a LONG time, on two laptops, three desktops. Same thing, over and over.

    To begin with I knew nothing about computers except monkey see, monkey do, even though I've been online since 1992. I never wanted to learn all this. I just wanted to browse the web.

    After three crashed/trashed computers and one damaged one, I've started learning.
    On the last three computers, I tried earnestly to learn how to disable remote access. At first I just knew to uncheck the "access this computer remotely" under computer/properties drop down menu and I also disabled file sharing and so forth. Lately I got into Admin Templates and learned more. But nothing has stopped this nightmare.

    The very FIRST anomaly I noticed SIX YEARS AGO was that the computer time changed without my doing anything...it advanced 4 hours but only one time zone...made no sense. I didn't do it!
    Then I noticed:
    My name under "users" in taskbar disappeared.
    Network connections folder disappeared. Even though I did "connect" to the internet, I couldn't see the icon or do it manually if I chose. I had to just plug in and wait to connect.
    ANd it seemed to me the squiggly lines in the "performance" grid on my teask manager screen looked really weird anderatic and a lot was going on that I didn't know about.
    I just had a feeling there was someone accessing my conputer and doing God knows what in or with it.

    I started trolling the web. I called microsoft. I asked a neighbor who was savvy. No one believed I was actually being hacked to begin with.

    I looked around in my computer and discovered:
    root console disappeared everything was "local computer" access only.
    When I created a limited user to browse the web, it just...disappeared.

    When I found out about and enabled logon audit it filled up daily, didn't identify user and referenced "network authority" "success" logons...dozeons of them simultaneously.

    Administative tools/services/"server" disappeared from the list.

    This latest experience, my lan icon in Network Connections was renamed "LAN2". what happened to LAN1??

    The 1394 connection was activated and couldn't be shut down. When I deleted EVERYTHING under the first 1394 icon, having been told that it had nothing to do with my internet connection, and then finally completely uninstalled it, a new one appeared labeled 1394-2.
    (I understand this is "firewire" ? Infrared connection? I dunno how that computes or why it's there...not a tekkie here, just have had to crash learn stuff I never wanted to learn...)
    When I deleted 1394-2 it apparently stayed deleted..at least on my screen.

    Network icon and network connections disappeared from taskbar and start menu, respectively, then the icon reappeared in the Network Connections folder labeled "LAN2". The taskbar icon NOW only appears when I am connected to the internet, but this may be a XP/MS glitch, not sure.
    Also the start menu would redo itself "spontaneously" I would discover when I logged back on. I generally used Classic, and it would be changed to the other Start Menu selection.
    Gremlins....?

    Odd txt files in Recently openeed documents that meant nothing at all to me and made no sense. They appeared to be logs using words like "grabbed mutex and elevated privilege to....SUCCESS!" or "attempted to.....failed! Retrying..."
    and so forth, running on like a program written to access and change settings in my computer. But these things were apparently done while the computer was supposedly shut down and I was fast asleep.
    I saw so many different screwball things after a while I got tired of writing them down to research them..But a pattern did emerge.

    The same things over and over. Recovery, Restore, OEM reinstall, different computer, didn't matter.

    I've run every malware detection program known to man or woman, including every online scan out ther from reputable sites, Malwarebytes, Spybot, SuperAntiSpyware (that one restored my SafeBoot function that disappeared once program wa worth it for that alone. It never found much in the way of malware, however.) and so on and so on.
    Nothing detected that was related. Nada. Zip.
    Uniblue sucked..that was a mistake...hard to get rid of.
    HijackThis (showed an extra BHO or two unknown origin, but nothing major was detected. Deleted them. Nothing changed.
    Glary, AWC, all of MS's malicious software crap, etc etc..., even had a "Bleepin' Computer" tech help me try to find the problem
    (He didn't believe I was bering hacked either, but carefully had me run several tech-based specialized programs, walked me through everything as if I were slightly retarded, and decided a minor malware and an extra BHO was the whole problem. He was nice but appeared to think me simply paranoid to believe I was being hacked, so I just folded my tents and went away...)

    With Windows update, several update icons appear simultaneously on my taskbar, and in the TM process screen"wuaudt.exe" is listed two and three times, none could be shut down and also appeared at random, even when I disabled "automatic updates" completely.<?>

    I was unable to stop terminal services. "access denied" was message when I clicked on it while using my admin account.

    I did a subsequent recovery, disabling TS quickly and disabling the program under msconfig then rebooting, it finally DID appear to stop it this time,..again..dunno.
    I *suspect* a phony remote desktop was superimposed on my screen, emulating my own original one (this is all speculation, understand, based on one thing: when I enabled "forced removal of remote desktop" in admin templates I was left with a "safemode" screen that wouldn't go away after rebooting several times, which forced me into a recovery with backup...a backup I couldn't remove via Backup WIzard and CMD.
    Just trying to parse out what has been happening. I don't "know")

    An "authenticated user" with a long name starting with S-followed by a string of numbers was
    granted user privilege of "access computer remotely" I discovered when I tried to use Belarc Advisor to beef up security and edit user rights. Deleted that. disabled all the remote-enabled accounts (Help Assistant, Support, etc) just to be safe.

    Attempting a restore function to a point prior to all this weirdness was "unable to restore"
    LIke I said, I have a backup archived from the partial recovery visible on the c drive prompt, BUT when I try to delete it it says it can't locate the directory...that I'm sitting here looking at. Ditto via the Backup WIzard. HOWEVER, I could see my AV program (Rising again) detects it on c: and scans it...detecting nothing unusual.
    When I tried to delete it via the Backup Wizard itself, it says it's not located on this computer. The recovery partition D: has only "recovery" on it with a lock icon...think it's in there? Lol..who knows..not me. Though I have discovered a weird txt or two on that partition.

    EVEN WEIRDER, I had supposedly deleted the entire backup program itself from Ad/Remove Programs (I thought I had...it's not listed there anymore) just in case it was involved in all this crap.
    I never backup anything. I THOUGHT I could delete it after the recovery...guess not.

    My computer is pretty fast actually to be so old, but the speed slows down a lot when buffering moviesd online, and I *suspect* it is being used as a server relay by the hacker when that happens, for whatever nefarious function I don't know.
    I was a firm advocate of Firefox...until the AFOM addon function (to free memory) stopped working, started crashing the program, then wouldn't enable, and it was dragging around 250,000 kbs as I surfed and they wouldn't unload. ALso I would see two or more Firefox.exe processes running in TM sometimes. SO I guess that was hacked and reconfigured somehow.
    Every security software program I have ever used ultimately would fold/fail. /The taskbar icon disappears or grays out suddenly for no apparent reason. ALL of them. Bar none. Alwil's umbrella just folds...
    This included: Norton's, McAfee PC-Cillin (long BEFORE the free trials were scheduled to expire). I also purchased Norton's, McAfee and PC-Cillin AV software and installed it from CD. I also tried Kaspersky, AVG. Alwil ( or is it Avira? I forget), Avast, Kingsoft, and Rising Security Suite 2010, Fort Knox. These programs crashed soon after install and then again appeared, to "function" but never detected anything again.

    I found weird text files in the WIndows folder that seemed to instruct these programs not to detect stuff...redirecting to other logs with weird text, strings of symbols. Then they were deleted and appeared in the Recycle bin without my involvement...and then reappeared to cycle again.
    I can't swear that was what was going on, since I'm not that knowledgeable, but it appeared these files would be generated by a temp file that was set to execute their text and then be deleted.

    The event viewer would be empty except for references to logons by "NT AUTHORITY" that would fill up that audit log,--dozens and dozens of logons..many if I logged on as admin for updates or something...and security log "warnings" about my AV being stopped and started again (this in the wee hours when I was long asleep and my computer supposedly turned off AND unplugged from the modem) and things that were unexplainable referring to stuff that (it said) was not located on this computer.
    The last time the audit files simply said, "logs successfully cleared"...but not by me.

    My admin account was later denied access to the audit function, to the drop down properties menu on various icons including network connection, properties in the services list, and so on.

    Rising and Kingsoft at FIRST detected several trojans each and quarantined or removed them (I have long since forgotten their names, though I did write them down somewhere. I googled them and came up empty.
    Both programs also ultimately crashed and came back to detect..nothing.
    Admin templates for software disappeared and any changes re: remote access I previously made in the templates were obliterated, set back to "not configured" state.
    ~~it appears a restore was done, because deleted programs also reappeared suddenly on my desktop, and my desktop changed accordingly but looked haphazard and untidy.

    Last night I could actually HEAR keyboard clicks in the background on my computer...NOT simply processes running but actual keyboard clicks (weird) as if "someone" was doing stuff I didn't know about, behind the sounds of my own "clicks" while I accessed folders, modified my access & made changes to administrative template folders ,prohibiting this and that remote function and enabling my own functions as fast as I could and limiting any remote "authenticated user" sessions to a maximum of 1 minute <g> to give me time to try and reset things.

    Hearing those keyboard "clicks" was truly weird. I could imagine the hacker laughing at my futile attempts to outdo him.
    All my changes were. as I said, obliterated the next time I accessed the admin templates.

    At various times I tried the following to prove to myself I wasn't actually losing my mind and becoming a paranoid schizophrenic:

    I changed my desktop background and settings to a black background with lilac windows and the screensaver to "Nature"....and the next time I logged on it was back to normal blue and deleted programs had reappeared on my desktop, with the original Microsoft screensaver, which told me the system had been restored ---while I was sleeping.
    BTW I *never* stay connected to the internet after I quit. I shut down completely after I unplug from the modem. I even power off the modem now!

    When I was accessing wireless via laptop, I used WPS2k encryption (I think it's supposed to be stronger than WEP), and a long password with weird combinations of symbols, letters and numbers. Didn't matter. I changed the settings in the modem....didn't matter. The weirdness continued.

    I tried Sophos to detect rootkit, and it found one but couldn't delete it ...it crashed...then next time it found...nothing.

    I tried to explain all this to my neighbor the hardware geek and he thought I was nuts for thinking I was hacked (who would want to hack me? I a 60 year old woman of limited means. IF I buy online, I ONLY use a separate bank card in another bank with the minimum in the account for the transaction. I am a caregiver for my 95-year-old mom. We are basically broke and struggling day to day. Seems like a pointless endeavor to hack me, but no matter. It's apparently happening. Perhaps it's to use my computer's server function, I don't know.

    I wondered on and off about my sanity. AND THEN....

    Yesterday I talked to my neighbor again and he APOLOGIZED for not believing me ~~~ HE had just been hacked and was truly shaken up by it.
    I asked about the symptoms, and when I asked about a time changing randomly...he gasped and said..."YEAH! YEAH!! That's what happened that made me notice something was going on!!"...and then.. quietly,,,"Uh, yeah.. I remember you mentioning that before and I didn't pay any attention to you.BUt NOW I know what you were feeling."....and sounded sheepish.)
    The time change was the first thing he noticed when I prodded his memory...I had given him the punchlist of anomalies last summer.. when he had simply decided I was being paranoid nutcase.
    HE no longer believes that is the case.
    He had Window 7 & Vista both on his computer and suddenly...his computer was dogmeat, he said.
    (I've lost three computers to this myself). He was SOO pissed and just ...sounded dazed. Couldn't believe it was happening to HIM.
    He has decided to buy a new motherboard & HD instead of trying to find and "fix" the problem and plans to install a new bios, I think he said, and THEN try and find a way to access his HD safely with another computer and retrieve all the stuff he had lost that was important to him. He said he thought the hacker planted something in his bios ( That's what *I* had thought intuitively to begin with but everyone told me it was "impossible" BUT~ the security guy I will mention later told me I was right!

    My neighbor also mentioned finding an empty partition he thought the hacker was getting ready to fill that he deleted before that happened (I had found and done the same thing in computer #3.
    I think this hacker is quite knowledgeable and versatile). After that is when his computer went to hell.

    BTW that "time change" anomaly? Remember when Microsoft released a fix for the vulnerability that mentioned the time being involved?
    I had called MS security techs more than SIX months before that release and told them there was a problem there somewhere...and the first three techs said they knew *nothing* about any such problem.
    Later I found out from an honest, level-way-up-there senior security tech who, though she was unable to solve my problem, said she believed I was right, I *HAD* been hacked-- she said that I was the third person that week that had reported the same random time change symptom and suspicions of being hacked to her.

    (I raised Cain with HP and eventually got a new laptop out of it though >}. BECAUSE what most people don't know and is so stinking WEIRD is that "REMOTE ACCESS" was enabled on EVERY computer I have EVER PURCHASED. HOW stupid is THAT? How many newbies are aware --or told---that they NEED to disable that function and how to do it? IF they need remote help, *THEN* it could be enabled! Makes one wonder why and why not, doesn't it....)

    I'm sitting here looking at the "update icon" sitting in my taskbar and the spinning "acquiring address" ball floating around the network icon and ~~~even though all true updates done from the MS site have been finished (I checked..no updates available)
    and I am ALREADY online---These anomalies are still there.

    MAYBE the hacker can't connect and find me >} since I changed the computer name after I enabled myself as able to access "Domain Control" (don't ask me how..I stumbled upon that template and made a bunch of changes to security connection authentication requirements for remote access and anything else that looked promising...<g>. I just remember hitting a "view" dropdown menu and voila! There it was. "D.C. Options")

    Right now my computer is quiet, the ball is spinning...CPU load is nothing... SO far, so good...

    SO, based on all those mysterious little update icons that randomly appear whether or not I chose automiatic updates...maybe the hacker has hacked MSupdate and uses modified or re-engineered duplicate .exe's to find his "client/servers" , making connection and sending files to reconfigure any changes made by updating if we unwittingly clicked to "install" what we believe to be WIndows updates.
    I dunno...like I said..not a tekkie here ..just pissed off enough to try and find out how to thwart him/her (don't want to be sexist about this...)
    OR maybe his versions of download hotfixes/updates he has simply "edited" to uninstall/replace the real ones but not to function? maybe, I don't know.

    Previously, almost all the "real" MS security updates mysteriously disappeared from the Add/Remove screen after installation, presumably uninstalled by this jerk to make his job easier, so I started using CC Cleaner to uninstall the update uninstallers ASAP...lol)
    Hey..as a matter of fact, I seem to recall one of those weird txt files that said, "uninstaller NOT FOUND!! with several repetitions of that in the file. Hmm--maybe I wild-guessed right!

    The last recovery, I disabled restore, did a recovery, and re-enabled restore..set a restorepoint--and just ..kept changing the NAME of my computer...and the ball keeps circling...
    DO you think that keeps the domain from recognizing my computer?
    WHen I changed the computer name I inadvertently used a "non-conventional" symbol in the name and got a warning that my LAN might not be able to find me. That's what gave me the idea of name-changing.

    Of course DSL knows I'm wired into the modem so off I go.
    I surf until the icon says "connected" , unplug from the modem, then change the name again after I reboot..lol.

    THis time being logged on it hasn't connected. Interesting.

    I don't know if I'm outwitting the hacker or not...but it makes me "Feel" I have some control, so I'll keep doing it. Also, since I did a GP edit and selected from the drop down menu of "view" from somewhere (I've already forgotten where in the bowels of the computer I found it) "let any adminstrator available access the Domain Control" or something like that... and THAT let me back into the Root Console with a random right click on ...I don't know what.. something in the mmc screen...it was 2 in the morning and I was just rummaging around and hit paydirt.... I seem to have done something right...BUT I was afraid to delete or alter anything I truly knew nothing at all about..so I didn't bother the screen that miraculously appeared for me to read stuff like "MSconfig" and I forget what else was listed in that little box.

    I may be a little reckless, but I'd rather this computer keep toting up 1's and 0's and continue running so I can surf the web... with or without the hacker....

    I *have* as you can tell just floundered around and deleted stuff that didn't look right. What did I have to lose? But I back off anything that looks TOO important...
    I DID delete AOL. Adobe reader, Quicken, digital medial reader, anda bunch of others that seemed to run for no apparent reason and were supposed to be set to manual or disabled.

    Anyway, now the status properties (reenabled that) of my LAN icon and the task manager don't indicate that there's a whole lot going on in the background that isn't supposed to be. My computer is running very quietly with barely a click. When it "connects" I'll just unplug, reboot and change the name again...

    Once I managed to run a trace (I know little about it..but one firewall did this) and it seemed to terminate in China before it couldn't trace anymore...it was traced all over the world
    .
    My last comment: when this *first* started happening (and that Dell was finally fried like my neighbor's) I called in an IT security consultant (I was desperate enough to pay and nobody would BELIEVE me) who had done work for the govt, and he finally sounded shocked after working for quite a while, blurting out that something was in the bios, and it wouldn't flash properly. He was crestfallen, said he didn't know how to fix it..called his partner, said it was like what the govt used to spy on people under warrants...that he wasn't privvy to how to UNDO it that I should just trash the computer and get another one. He didn't even want to charge me, he was so bummed. Well, the hacker trashed it ultimately; I didn't have to.

    Anybody got ANY ideas or had any of these problems?

    If not, at least I hope this has been interesting and mildly entertaining.

    This experience for me has just been one sh*t storm after another...until I decided I'd just roll with it and see what I could learn ..lol

    I AM tired of it though and would love to boot him out or catch him. But --not a tekkie here.
    In the meantime, I decided to do the occasional destructive recovery, start and stop restore, and annoy Hacker any way I can... and keep on watching tv/movies online...which is mostly what I do for relaxation, in addition to researching how to take care of my Mom and political machinations.
    Whew. I'm through. Hope NONE of you readers go through this unless you are WAAY more knowledgeable than I!
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919269

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice