Hijacked and Dead Vista

Have tried unsuccessfully to remove malware. Actually, think Malware is least of problems..if that's possible. Not literate enough to explain all but will highlight recent problems and hope for guidance from someone. Have had 5 computers in less than 5 yrs. and ALL have been hijacked by same person or group (same ID, passwords, etc.). Have done NUMEROUS reinstalls of XP's and Vistas via phone with pro's plus paid Dell twice, HP twice, Microsoft three times, Norton once and even AT&T once plus two private companies to eradicate hacker. Just completed last of 3 clean reinstalls of Vista less than a month ago by local well-known company who used some government program. Found my hacker(s) behind a hidden partition. He/she had assumed all administrative privileges through Advanced Security Snap-in with RPC & group policy and was using my computer as a workstation. I had a choice for the price: Trace the hacker or cleanup my machine and configure more secure firewalls, etc. Chose wrong. Should have found out WHO - because he was back within one week and company said 3 times is enough. I can review the scenerio for you because it is always the same and I even know the hacker's ID, doman and passwords. He's so bold, I even know which movies and games he's using with my NVIDIA's console and can find all of his many hidden files without a problem. My event log usually STARTS with "Logon attempted using explicit credentials". From there, it goes to "Special Privileges assigned to new logon" and "audit success..., etc." and then my Vista Problems & Solutions starts with the app crashes including Windows Defender and Network Diagnostic Framework (can't ID or repair) and Windows Firewall keeps turning on [guessing to knock out my own firewall- now Comodo IS] and then Windows Updates stop. It's about then I can see that CREATOR/OWNER has most of the privileges, then SYSTEM, then Authenticated User, then Administrators....and then Users. (I'm supposed to be an administrator but can't change anything.) Bout that time my "C:/ Drive" becomes "C:/Disk". This time I have a new one, MpSigDwn.dll. - no, I don't use anything wireless. My Services have all been changed to enable all remote accesses in Private, Public and Domain and I can't change them. The disabled's Ease of Access feature is set to flash the screen of whoever is apparently hearing impaired when I log on; my Pen & Input Device is turned on; a foreign language pack has been installed again; password protection has been turned off AGAIN upon wakeup; I'm apparently using a Roaming Undocked Profile again [that I don't have]; Custom Power Plan #2 is again in effect (?); have another hardware error [but haven't installed anything]; have a program compatibility problem but haven't installed anything new AND now have a generic network adapter (USB To Fast Ethernet Adapter) instead of my Intel. In addition, both my Avast and Comodo have install dates of last week but were last installed on 3/6 - and...my Video Hardware (3D graphics) stopped working along with Internet Explorer and Windows Explorer. Depressing? I don't ever put anything personal on my own computer because I never know who I'm sharing it with. I can't email friends because I fear he'll take their computers, too. This is what I have dealt with almost daily for almost 5 years. It started right after I fired an IT Mgr. at my company and he threatened me - but I can't prove it's him. I know...I need another clean reinstall. But that cures nothing. PLEASE...just point me to someone who can make sense of this and tell me what to turn off or what to install or whatever without having to pay again AFTER I do the reinstall so it won't just keep happening. I simply can't keep paying to use a crippled computer. Thanks for ANY help and sorry if I'm leaning too hard but I really am... BOUT2GIVUP

 

Oh my goodness!! Welcome to MG's :wave - this is the one place that I know that you will be helped or directed in the right place......be patient (I know it is hard) but someone will come and help you.......I wish you the best!!

KathyM

 

Sorry to hear of your infuriating problems, must be a nightmare. Like Kathy says, someone will come and help you or redirect you.
Welcome to MGs and best of luck in your fight with this low life.

 

well - damn.

that sounds like a hell of a pain in the *** to be dealing with, and i can't believe you've been dealing with it all this time, i think most people would give up on computers...

do you know much about computers yourself? as in working knowledge, how to do things on a computer, carry out maintenance, etc?

and another question - you've used a 'company' to fix your pc, and then three times its still gotten reinfected, or re-controlled, yeh? might sound a little paronoid but are you sure that this company is legitimate, or that they don't know this ex-IT manager that you fired?

because, unless this guy is sitting at his computer 24/7 then it is unlikely he is 'watching' untill you get it fixed and then re-infecting it straight away, some of it sounds in a way... automated.

now personally - if i were to try to fix this problem myself i would start by erasing everything on the offending hard drive (while having my internet disconnected, as in unplugged) then install a copy of windows i have never touched before (eg: just bought) and then before i went onto any internet i would install a proper Firewall (disable windows firewall) and a Proper Antivirus. then i would connect - and see if it happened again. but unfortunately im not physically there.

so for you to get some much needed help ill have to refer you to the malware removal guide which is located here: http://forums.majorgeeks.com/showthread.php?t=139685

and after doing the necessary steps on there, you need to post the resulting log files and any information you learn from following its steps, here: http://forums.majorgeeks.com/forumdisplay.php?f=35

and then someone can help you with your problem - because right now there is no standard information for people to work with.

so - good luck mate, and welcome to MG's!

 

Thanks for your reply. Don't think pro's know my hacker. They were only last in long line I've hired to eradicate him. At least, they proved his existence. Vindicated! Hooray! Like you, have wondered about some crazy sitting at a keyboard 24/7 waiting for me to logon. I know he's using my disability option for hearing impaired to flash his screen when I do log on but other than that is using me as a workstation on a shared server and keeping logs, etc. I also know my emails are rerouted through that server because some that actually got through to Tech Support at Dell, etc., have been rejected for a redirected address. Can't run the Malware Removal Tools you suggested because have already lost my "permissions" to download cleaners or run scans. If past is an indicator, will soon be unable to access Internet at all but he will use a custom power plan to turn on my computer if I leave it plugged in. As far as my "computer-eze", been around networks and used a lot of programs professionally. Am a fanatic about good computer housekeeping, i.e., updates, backups, defrags, scans, etc., and have even added memory to one of my computers....but other than that, am definitely a newbie. Question: First hint after reinstalls of my OS that he's back is an entry on my Event Manager that says, "Special logon with explicit credentials attempted". After that, it goes to secondary logon successful, etc., and then "Audit Success"... What I want to know is, what are explicit credentials and why would my computers acknowledge them even after a wipedown? That has to be the entry point. I don't use a Smartcard so he isn't using mine. Any ideas? Anyway, thanks again. Give up, you say? Noticed my ID?

 

haha, yeh i get what your saying mate

well how a computer is 'able' to logon with secondary credentials is (AFAIK)

a mixture of 2 services, namely 'fast user switching capability' and 'secondary logon'

now these are both services listed after you go to run > services.msc > i wonder if you'd try disconnecting from the internet for me - and attempting to disable them both, and replying to let me know if it helps at all, because those are the main services i would think would allow someone to logon throug the internet, without using remote assistance - i do assume that you've also turned off remote assistance right? because that could be a possible access point.

click on start > right click on my computer > go to the 'remote' tab > untick 'allow remote assistance invitations to be sent from this computer'

now these i would suggest doing while you are not connected to the internet, physically - as in unplug the wire - cos basically, unless he has lowered your access permissions system wide, then when your off the internet he shouldn't have any control, eg: you should be the only one with 'admin' listed next to your name, and therefore your system will allow you to make global changes.

get back to me soon as ya can mate.

PS: how you get into services 'click on start > run > type 'services.msc' > it will show you all installed services on your machine, find the two i listed.

 

and also - sorry for the double post to anyone reading, but can you check this website mate:

http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

because that seems like some of your symptoms, they fit quite well

 

to 'major attitude'

he has allready posted he is unable to use the clean up tools - hence why i am attempting to help him another way

qoute## Can't run the Malware Removal Tools you suggested because have already lost my "permissions" to download cleaners or run scans ##unquote

 

fair point, lol - sorry mate

i do tend to over complicate things when im lookin at pc's =D

-ignore me

 

OK - that was fun...Had to do a restore to earlier today to get back on line after disabling the secondary logon option. Couldn't find fast user switching. Did find some interesting stuff, however, and peeked but didn't change any of the options since all were passcoded under either Network Service or another user's ID. Some of the options activated are: Smart Card logon; Remote Procedure Call; LanMan Server (printer sharing); Net.Tcp Port Sharing; Netlogon; Terminal Server; and Routing & Remote Access. See your second post & will follow-up there now. Thnks again. Oh - BTW: Guess where you're from I'd be referred to a Sheeba (sp?) rather than a Mate. lol

 

haha, if your referring to me - im in the uk, lol.

good luck in the malware forum mate - hope you can get it sorted =D

 

Thanks for attempting to help me, BlackPhoenix. You obviously know what you're doing.

 

Will try again for third time to do your Malware Removal but have been unsuccessful even in safe mode since "no permission" popups and freezes shut me down. Understand your need for specific results though.

 

Hmm, since this is in the welcome center I would like to point out to BOUT2GIVUP to please use punctuation and paragraphs. There is no way that I will ever read that blob of letters to offer help. Please distill it!

 

Yes, several times,...and then I lost all access. It's taken AT&T 3 solid days, (resetting my winsock over and over by Tier 2 Techs) to get me on for more than an hour. Finally, we just got back on by using an old dsl modem I had & then reset the winsock again. I'm crossing my fingers...and will type VERY fast...
1. Remove Unused Programs: Suspicious. Have very few programs listed anymore in Vista, Control Panel, Programs. Find the missing ones in Vista welcome screen but most are "folders" and not icons.

Checked Programs with Updates and found two recently added: one as a program, "Intel(R)PRO Network Connections 12.1.1.11.0" on 3/14; and one as an update but with no KB number on 3/23, "Visual C++2008X86Runtime-V 9.0.30729.01".

My Device Manager says my current network adapter is Intel(R)81562V-2 (AT&T Tech had to reactivate it today.) My Problems & Solutions had a popup last week stating I had a hardware compatibility problem with network adapter stating mine was a generic and was listed as , "ADM851X USB To Fast Ethernet Adapter...".

2&3. Clean Hard Drive and Remove Invalid Registry Entries: Can't download CCleaner, "This download has been blocked by your Security Zone Policy." I have made no changed in IE and use Firefox. Those security options look good. My Internet Options were checked by AT&T and look OK. Don't know what this is...

4. Clean up Startup Items. No unusual tray icons (except two on my speakers discussed below) but found 7 quickstart launches (Show Desktop, Switch Between Windows, Mozilla browser, Launch Internet Explorer, MediaPlayer, AdAware and Windows Defender). I never use quick launches, didn't put these there and can't delete them without, "Are you sure you want to uninstall this program?".

Went to Windows Defender, Software Explorer, grouped programs by Startup & All Users and found 3 registries and their various programs : Registry:All Users, lists only my HP all-in-one printer; Registry: Current User, which lists only a Media Center Tray Applet. (Haven't been able to find my Media Center for a while!....); and Registry: Local Machine. This is where most but not all of my programs are listed, again including, HP digital imaging all-in-one. It also lists Realtek HD Audio Control Mgr but it's install date precedes both my computer's build date and the last recovery date and it did not ship with my OS. ( I have a tray icon on it and also for my LCD built-in speakers, Vol. 55, Realtek High Definition Audio...?) In addition, have Microsoft Userinit Logon Application (recently installed) and THREE separate programs named Microsoft Windows host Process (Rundll32) with the only difference being their start up values.

5. Defrag Hard Drive. My Windows version hangs and can't download the IObit Smart Defrag because of the Security Zone Policy thing.

6. Run Malware Scanner: Can't download CCleaner.

That's it - for the Malware Cleaner Guide.

AT&T said to tell you (yesterday), some kind of problem was preventing my TCP/IP from stacking and about having to reset the netsh winsock too many times.

Sorry for the TMI on my posts. Knew I would be losing connection any time and wanted to provide as much info as possible as fast as possible. Always thought it best to pro's what I DO know and let them pick out the pertinent points.

Thank you for any guidance. Scared to power down my computer so would appreciate an early response. BOUT2GIVUP