I'm back. So is the hacker. Never left, actually. A month ago I wrote in about these people - one calls the other Sneely. (I've been out of commission, hence the delay in solving this problem) I have followed your advise to reformat (system recovery) on Windows XP Home. It has not been successful. They are still there, in System 32, and have again taken over my system boot up password, Norton, CD RW drive, scandisk, and the printer (probably the floppy drive, too, didn't check). I was able to get some data on CD before they found out, and printed one file. Not sure if any of it could help catch them. This all started quite awhile ago, and I was the perfect victim who knew nothing.
So, before going online, I installed Zone Alarm Pro4 Firewall, Spy Subtract (this program is excellent!). Norton's firewall seems to be worthless. All my programs are up-to-date. I am NOT on wireless, my PC is stand alone now (no roommate PC linkage for DSL), I moved my residence and now have ComCast cable (was SBC DSL at last reformat). I was on my PC a few hours only, mainly searching through the System files, trying to get info about these people. When I found out they were operating in System 32, that's when everything came to a halt.
So, I learned that system recovery reformat did nothing, as all the hacker's files and programs were still there on boot up. There are a couple hundred files including notepad notes to each other about what to do. I believe they are bootlegging software on my PC. Found a certificate program that creates a digitally signed certificate with a date valid from 5/13/04 to 7/13/05 (I bought the PC on 8/25/03). There is everything in there for making all kinds of programs. They have installed lots of programs I didn't buy with the PC or since: Photo Shop, Python, Wild Tanget, Softex, FunWeb, tons of Active X's, Java, PS2, Don't really understand why they can't do this on their own PCs - could you explain?
Why did recovery not work??? I got the usual alerts (3 times) that all data would be lost. Not so. I have still not re-installed any of my document files since the LAST recovery a month ago.
I have literally watched a file name change to another one while I just sat there! This is all with NO CONNECTION TO THE INTERNET.
I already had Adaware, Norton anti virus, Hijack This, and Spy Bot on my PC, still there after reformat. Why?
What I did: Before going online: System Recovery. Installed Zone Alarm and configured. Installed SpySubtract and configured. Ran Adaware, Spy Bot, HiJack This. Disabled almost every single Service. They use ctfmonConnected to internet and proceeded to update Norton antivirus - it had problems doing this, probably becuase the hackers' pre-set programs were trying to stop it.
I found out that they change a file's name in order to make it look like a SpySubtract or other good program's component - and fooled me into accepting an active network that I can't delete with the IP address of 169.254.0.0./255.255.0.0 This was through SpySubtract, which I was refusing access to everything I thought was bad. These people have set up programs that run themselves and anticipate and stop anything I do. They are using Remote Procedure Call and Remote Access Connection Manager, which I was unable to disable in Services.
Also, back on 7/20/04, I wrote down something that may be important:
There were 6 logon process names:
K Sec DD
LAN Manager Workstation Service
And, received a message:
"a notification package has been loaded by the Security Account Mgr. This package will be notified of any account or password changes. Not. Pak Name: scecli"
"a trusted logon process has registered with the local security authority. Logon Processname: Winlogon\MsGina"
"authentication package loaded - name: c:\WINDOWS\SYSTEM32\MSV1-0
SOFT AUTHENTICATION PACKAGE_v1_0"
Plus, 6 more additional ones were sent that I didn't write down.... (printer disabled)
What can I do now? Reformat does nothing. How can I get my PC back? I am afraid to contact the company with my service agreement because I am suspcious that they might have installed this on the PC before I even got it home. I had problems soon after purchase and I was (mostly still am) totally unknowledgeable about this stuff. Thought Norton firewall and virus and a spam program was all one needed. Ha! BestBuy sold me the PC and, dumb me, I let them install and set up the system for a meer $20. Never again. Could one of their employee's be doing this???
A few possible indentifying things to help find these people (all found on my PC):
The Terminator (software made by Matt Gerrans of Key Concepts, Inc)
Sleep (also by Gerrans) DOES ANYONE KNOW OF HIM?
The URL: http://us8.hpwis.com
(they redirected my IE to that)
RASMAN is now the administrator of my PC (probably means nothing, just a code)
Sneely gets notebook files sent to him.
Another IP: 184.108.40.206/255.255.255./28
And another: 169.254.0.0./255.255.0.0
redirected home page: www.microsoft.com/isapi/redir.dll?prd=ie8clcid=0x0409&pver=6.0&ar=home
I have 100 or so files saved on a CD. No idea what, I was saving as fast as I could anything I could. I can look later when don't have to PAY to be online at Kinkos.
I have one 36-page file called ims, saved on CD and printed out. Here is a sample of this file:
"the list of shared files to uninstall in the event of remove all or uninstalling the last component..."
"Sneely, uninstall obsolete files"
"this is a section containing all the destination directories" (with list following"
s], with long list of gif and html files such as: xmo_10.gif, moc04_31.htm, refwelcm.htm, smtpcfg.hlp"
"This is a section containing all the registry to metabase operations. The format of the paramenters are as follows: (with long list following this)"
"This section contains a list of all controls that have to be registered.....files like:
"sneely: changed to add media strings here. Note that [strings] must be the last section in this file
cdname = "windows XP Home Edition CD-ROM"
productname = "Windows XP Home Edition"
bootname1 = "Windows XP Home Edition SP1 Setup Book Disk"
I could print out some of the other files I have on CD. Should I do this? Any possible hope of getting these people? I am so pissed. There must be a way!
Sorry for the very long message - was trying to give as much info as possible and also perhaps some will learn something from this mess. I want my PC back. What do you recommend?
P.S. SpySubtract kicks butt. I highly recommend it. Sorry, folks, but Adaware didn't help me too much. And Zone Alarm firewall appears to leave Norton in the dust.
Thanks once again for all that you can do to help.