Is HAL haunting my computer?

Two nights ago I had occasion to enter my little computer room, and found my computer on,(not the monitor but just the computer)? I did not think much of it and just shut it off. Thinking that maybe I had forgotten to shut it down earlier. In the wee hours of this morning I found it on again, but instead of just shutting it off again, I turned on the monitor, and found it busy going through web sites? This time I disconnected it from my server and it is still off line.I DO NOT want to allow it back on line again until I can be sure that it won "t do that again! as I have had a number of odd actions happening around and with my contacts.I thought that I was well protected. so I am not sure what happened and/or what I should do. I have contacted all my important contacts "Banks and Investments and such changing all pertinent passwords." Thanks Lenny Chowns

 

Hal

Is Remote Desktop enabled on your computer?

 

Smokinjoe: The computer in question is still off line. I have plugged it in to the power again, But my password won't work? When I found it running ( by, I think someone else somewhere else) I just ripped out the dial up connection, and shut the computer down with the surge bar switch. I know that I should not have, but I panicked, all that I could think of was my sensitive information on that Hard Drive. Also I was half asleep. No to the best of my knowledge the remote was not on, or at least not enabled by me here on site. Lenny

 

Hi Lenny,

There are a few things that I'm not clear on: you mention dialup, so the question, why would you leave that on overnight?

But aside from that, one way to add security if you have sensitive info on your HD is to get an external USB drive for that purpose and backup purposes as well, which when not in use can be shut down w/o affecting the rest of the system.

Regards - Charles

 

Phone line was attached.

Charles: The phone line was plugged in but I know that I disconnected from my server before I shut down for the night. But even if I forgot to sign off, I know that it would have done so when I shut down the computer or very shortly after! Is this wrong? Recently I have had a few (actually a large number) attempted Browser Hijackings. Is it possible that one finally got through and installed a backdoor in my system that they are now using? I have been contemplating wiping out everything and on a clean slate reinstall my software. I pay for my on-line time from my server and get 75 hours per month. I have never used that much before. That is until last month when they added an extra $50 for 50 extra hours of use. I was also on a Religious Bulletin Board and someone used my user name and password and sent one of their " Administrators " a bogus post that verged on Libel.I have been mailed confirmations on line of credit increases that I did not ask for. Also a couple of my investment people have asked why I had to use up a the sign on times that they allowed me. As far as the external USB that's a good idea. and will address it after I get this mess cleaned up. Thanks For your concern. I am very unsure and reluctant in allowing this system back on line again "{as is} without a fresh start" would that be your opinion to? I thought that I was well protected, but I guess not??? Lenny Is it possible that someone could be utilizing my system from somewhere else for some time (many weeks or months) and me not be aware of it??? Lenny again!!! P.S. It will be harder to answer posts as quickly now as I have to borrow a computer to reply???

 

Hi Lenny,

Are there any indications of any processes running that you're not familiar with? It may pay to go thru each process and find out what each running program or process is while you're on-line.

One way to do this is using tasklist.exe, its only on XP-pro, so if running Home you'll need to download it along with the instuctions from here:

http://www.computerhope.com/download/winxp.htm

It goes into the \Windows\System32 folder.

What it does is list all the processes running in Task Manager plus breaks out processes running under SVCHOST.EXE, XP "bundles" services under that name.

The way to run: Open a cmd box: start > run > type cmd > ok and type:
tasklist /svc > c:\tasklist.txt That will put it on the root of C, look for tasklist.txt. Copy and paste is easier than typing, there's a space between tasklidt /svc

Read thru these threads on software to list/intercept processes:
http://www.windowsbbs.com/showthread.php?t=29075&highlight=SSM
http://www.windowsbbs.com/showthread.php?t=39800&highlight=SSM
http://www.windowsbbs.com/showthread.php?t=42410&highlight=SSM

Regards - Charles

 

Boy Charles that was quick! Thanks!

I was still here at the borrowed computer checking on my e-mails! No, sorry for me, I have Home , I am still embarrassed about that Posting on the other board that I told you about, and never want to be in that pickle again! So I am very reluctant to let my computer on line again with out modifying anything? Can I download that program here onto floppy's and install them on my computer? I guess that may not work if you want me on-line to monitor tasks? What do you think of Restoring back into time (maybe 6 to 8 weeks ago) and work up from there? Thanks Lenny Chowns

 

Hi Lenny,

Tasklist.exe will fit on a floppy, the other stuff won't.

System Restore: Only you can say whether that's feasable, any programs or MS updates since that point back in time will be gone. The other factor with SR is will there be enough room for it to do this operation. Make sure that you have the max file size - 12% of HD space, set for SR. Right click My Computer > SR tab > settings.

Regards - Charles

 

Charles Thanks Again!

My sons are here now they are a little more computer knowledgeable than me. We are going to have the other posting Board unregister me therefore no one should be able to hack into or use my name and/or password there. Then when I isolate or remove all my sensitive info I will go on line and see if we can find the problems using the new program that you have provided to me. I will keep you posted as to what we find. Thanks for your generous help! By the way they don't quite believe in what I said happened? they are going to investigate just to see if I am loosing it. Hey. do not get old you start seeing things? ha ha ha. Lenny When I post back I am hopeful that it will be from my computer, so it might be awhile!!!

 

All seems fine now?

Charles: My boys think you are a pretty intelligent Gent. They feel that I probably did have some info Hacked!, but that was all. There is no haunting or ghost in my computer.I have install the task program that you suggested. My wife or I may have left the computer on and on-line? And me being only half awake misjudged the situation? We ran all my security programs again? and I am writing this Post on my own computer! Thanks to you again you have saved the day. In support of my mixed up mind,I did loose my Brother to the big "C" about 2 weeks ago. He was the youngest and had just turned 49 too young to die??? I have been a little out of it for awhile. Time will heal all wrongs. Lenny Chowns P.S. I will read over the threads and keep a close eye on the inner workings if and when I think there is a problem again.

 

Some PCs have a Wake on Modem feature, which could be used through hacker activity, but not sure how they would get it to work from a shutdown state, rather than sleep, suspend or hibernate. It's not unimaginable to me though, that a file could be dropped on a machine that would over-ride the shutdown command and put it into one of the mentioned modes, and it would appear to be shut down. I recommend doing several online virus scans first.

Panda ActiveScan
Kapersky
Trend Micro Housecall
RAV

Should they all come up clean, run this free trial beta rootkit detector.

 

noahdfear "Dave "

Actually I do have a program installed that helps with dial up downloads Called "Meta Products" I feel that it works great for large programs like (Abobe) it sets up 7 contacts so that one will receive while another sends while another waits while another "who knows what ". I was reading their literature and I am sure that I can set it to come on , dial up, connect, download, and turn off, at non peak times or when I am not using the computer! Thank you for the on-line virus check programs web sites. I will put them to good use. I have used the root kit before. and found a number of things. Asked for their help in removing them and was told they where O.K. I think? , it was quite a while ago? I will run it again. Right now I use SHIELDS UP & The Symantec Hacker check, To check for computer security. Thanks loonychoons Lenny

 

Dave:

I ran all of the suggested tests they all passed? Therefore my computer should be clean? Right? Am I barking up the wrong tree?-Or- Do you or anyone else think that someone's computer could be shanghaied and used for whatever they wanted without that person being aware that it is happening? Unless they happened to stumble onto them accidentally when they are using it???? loonychoons Lenny

 

Hi Lenny,

To follow up on my suggestion for isolating your sensitive data from the rest of the System:

You can go two ways: one, camparitively cheap is to buy a HD and a external HD enclosure: http://www.windowsbbs.com/showthread.php?t=38548 The advantage is that you can format the drive as NTFS as well as FAT32.

The second is to buy a unit sold as an external drive, these are formated as FAT32 in order to be compatable with 9X OSes, not sure whether these can be formated to NTFS. It also would probably come bundled with backup
software. An example of someone that did this: http://www.windowsbbs.com/showthread.php?t=43314&page=1&pp=15 The issue of being able to boot or not is not relevant to you.

You sound like you're not going to be happy until you reformat and reinstall the OS.

Regards - Charles

 

Thanks Charles!

I will look into the suggestions that you mentioned . Right now will be the $ as my wife watches my computer budget quite closely me being on a pension? I guess no system is truly safe? No one seems to have a hard and fast rule about computer Hijacking and/or hacking or if some one could turn my system into a dumb monitor " something like me -DUMB-" thanks again Lenny

 

No system is 100% safe, you've go to monitor it all the times.

Hard and fast rules are for static threats, unfortunately malware keeps evolving and the defense must evolve with it.

One rule that would come close to hard and fast is locking down the browser - meaning disable AvtiveX - Java applets - Scripting and toggle them at need.

Another way is to create a limited user account where privileges are minimized.

BTW, I think you're beating yourself up too much.

Regards - Charles

 

Charles

I seem to have left the straight and narrow path and I am on a tangent or something with my Questions? I know that computer security is an on going fight and I except that.Breaches have happened and will happen again. My question is this and only this. Can what I said happen with my computer, Happen? Or is it all in my mind and I made a mistake interpreting what I experienced and saw that morning. If some one says that that could not happen in a million years . I will agree with that and look for a cause somewhere else, like maybe " near by "sabotage. I appreciate everyones help and it would have been very rude of me not to look into each suggestion and try to apply it, but so far all the checks have not found a culprit. If there is no answer to this question then that is fine also. Yes I am beating myself up over this because I do not want to think that I am loosing it. On the other hand if technology has advanced far enough to allow someone to Shanghai my system then I am prepared to live with that also. I know that I said that I would manually disconnect the phone line from now on, but it is hard to break an old habit. I left it connected but signed off last night. and that &%$# computer was on again, doing nothing but it was on again??? Lenny

 

Hi Lenny

There is a "remote access" on Windows XP MSN Messenger (I believe) so someone could help you with problems. There is a tab that lets someone take control of your computer. In this program you can cancel that any time though.

So I believe that it is possible that there is a way for undesirables to take control of someones PC. Though they usually go after broadband not dial-up users, much faster that way.

But I'm sure others here know more about it then I would, I'm a newbie compared to most here.

Geri

 

Hi Lenny,

I left it connected but signed off last night. and that &%$# computer was on again, doing nothing but it was on again???
Are there firewall logs you can look at for that period of time? What is your firewall?

Another way: look at IE history for the time period, any activity?

Does this only happen if the phone is connected? In Internet options > connections tab, how is that setup? Never dial - dial whenever a network connection not present?

What are your power settings?

In the IE tool bar, click on Manage add-ons, what are the add-ons?

Remote Desktop Help Session Manager service, is it disabled? Start > run > type services.msc to get to the Services page.

Read this thread and use the references to go thru your startups - good to do in general and to eliminate background "noise ".
http://www.windowsbbs.com/showthread.php?t=39425

I'll followup with anything else I can think of.


Geri,

There is a "remote access" on Windows XP MSN Messenger
What your referring to is the Remote Desktop Help Session Manager service using Windows Messenger, not Msn Messenger.

Regards - Charles

 

Regarding the Remote Desktop Help Session Manager, mine is currently set on Manual as opposed to Automatic or Disabled. What is your advice in this regard?