Unwelcome visitors in Boot Sector (s)
Posted on 2004-03-25
This is a sorrowful, tangled tale-but I am on my 3rd computer since Jan.16th. On 11/20/03 the 1st computer (80 GB HD, 1 partition, FAT32, W2K) was infected by neighbor who was file sharing AND sharing my DSL. I knew something was wrong but the computer was updated, patched, behind a router and Norton said all was well. Also ran Ad-Aware, SpyBot and SpyWare Blaster regularly and other than the ever-present data miners, they too came up with zilch. That computer crashed hard on 1/16/04 in the middle of a project. Quickly hooked up #2, a Dell that had just been delivered 3 days prior for mother who wanted to learn to email. This was a 40GB HD, 1 partition, NTFS, WIN-XP HOME. Installed the security updates, sp's, Norton, Ad-Aware, etc and back-tracked several days on by now critical project with the last backup from #1 which was on a read-only CD. On the weekend of Feb 20, 21 & 22, Wallwatcher logged over 12,600 incomings to Linksys BEFSR-41 wired router. I was the only one on the network as neigbors line has been physically cut, although I had not yet investigated #1. The odd thing about the incomings was that they were from about 40 different countries, mostly Europe and Asia. Had installed a critical update on 2/11 which caused a BSOD and an error code pointing to new drivers, of which there weren't any. BSOD again on 2/24, same error code. Started looking around.
Services that I had disabled on 1/16, such as telephony, terminal services, remote access connection manager, etc., were running although the "startup type" still showed disabled. Then I discovered that there seemed to be an IIS and an SQL server not only installed, but also running. About that time, I also realized that I had no admin rights and was "blocked" from many files and unable to change any registry values. Norton and his sidekicks were still singing Happy Days, but MS Baseline Analyzer claimed I had no security updates . Then started getting redirects from MS, Symantec, etc. Went to my neigbor's house to use his computer, and to utter horror found the same story on his W2K, 20 GB HD, 1 partition, FAT32 computer. I thought it was because I had borrowed his router a couple of weeks earlier, while troubleshooting my mess. Except that I went to another neighbor who has W2K and again found the same story and we have never exchanged an email or anything else computer related.
Unhooked computer #2 and hooked up computer #3, a newly refurbished 6GB, W2K, 1 partition, FAT32 computer from former boyfriend that had not been used since refurbishment. He also gave me a new DSL modem. NOW it gets really wierd..on computer #2 (Dell) I could get a DSL sync light, but not a LAN light with my modem and a LAN light but no DSL SYNC light with his modem, with or without the router. I have not seen Andy since the same exact NO LAN on mine and NO SYNC on his, happend with the modems on #3 that he just brought over and that had worked fine at his house.
Sorry this is so long,..but while this was going on the phone was acting wierd, also. Phone company came and found my line not only hooked up to my building "B" (Townhouse condominium complex), but it was also hooked up to Building "C" on an empty pair, but alive and well with dial tone. They urged me to call the police who had no clue what we were talking about. I did contact Sans and Cert, and now my old router and HD are in Mass with Sans, but I haven't heard anything yet.
The files that I can find and read are slippery. They change dates, directories, and even their names and file sizes. They are encrypted and I have no experience with that. I have reformatted #3 three times, with no success. I wipe out the "unallocated" space when reinstalling, but it shows right back up. Tried Partition and Boot Magic, who sometimes see the space, but mostly don't. I download updates, only to happen on the Uninstall file later.
Now for the end at last...from what I can tell, and this is by booting from a Linux Knoppix disk, "they" are involved with VoIP and use telephony and terminal services constantly. I have all the video and audio codecs that seem to be associated with VoiP installed.There are all kinds of files relating to country phone codes and Sprint, MCi, etc. charges. I also have files for Windows 3.1, 95, 98, ME and XP on this W2K box. There are 10 different languages and fonts installed, mostly from Eastern Europe and the Middle East (including I think, Iraq). "They" have full control of the printer and floppy drive and sometimes they show up in Explorer, but mostly they don't. If I'm in an unwelcome place, I get some not very convincing windows "error" message or just thrown out completely to another directory. I have been using my web mail, but I think they are with me there, too. I can't email an attachment (not that anybody wants one from me) as it just gets wiped out.
I have been all over the Internet and can't find anything like this. HELP! I want my life, my privacy and my computer back. This isn't about money, as I constantly order over the net and my back account is fine, although I have now changed cards. And my phone is still acting strange, with "open line" like sounds on it. Also, #1 had not had Yahoo Chat since 10/03, #2 and #3 never had it. I'm a distance learning student, in my last year, and I may never graduate because it's all done over the web. As the most computer literate of the bunch, the neighbors are waiting on me to figure it out. After the 2nd neighbor, I quit asking, but a laptop (W2K) that I had fixed for a friend and put on the network to install updates has since shown to also have the by now familiar story. Two of us use Earthlink, the other neighbor uses Bell South.
I feel like typhoid Mary caught in a bad dream. I'm looking forward to your suggestions and thank you for reading this all the way through. I just hope it posts.