Computer Help forum

Resolved Question

ive a huge hacker problem

by lyfemare / November 12, 2012 7:16 AM PST

ill try to keep this short and if others have ideas then ill give more as it goes along. i have a massive security breach on my home pc. the hacker has a hidden partition on it that is "system protected" and i have no idea how to access. the hacker owns the "c" drive with all the real power. and i have a "x:" drive with illusionary power. on the hidden partition are a few system important files which cause my num lock key to light up upon boot. and various event logs tracking my browser history and all passwords. i am part of a homegroup i never signed on for.

ive tried using diskpart (the cmd has been comprimised and doesnt list all possible switches), used various partitioning tools gparted ect. i own the windows disc and have formatted numerous times. but the hidden system partition installs during the install process something called trusted installer which immediately takes control of everything and makes unauthorized changes. thhe cmos is also compromised.

short of getting a manufacturers system disc is there anything i can do thats relatively painless. im willing to allow a remote session with anyone as my system isnt really mine to begin with.

lyfemare has chosen the best answer to their question. View answer
Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: ive a huge hacker problem
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: ive a huge hacker problem
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Clarification Request
anyone responding yet?
by lyfemare / November 12, 2012 11:05 AM PST

i got an email saying it was updated but i dont see any responses...

Collapse -
Clarification Request
Tell us more ...
by Edward ODaniel / November 14, 2012 11:23 AM PST

such as:
1. the make and model of the computer
2. how long you have had the computer
3. the operating system on the computer (as well as its service pack level)
4. What GROUP is your user account in (admin, power user, limited user, etc.)
5. What makes you think "the hacker owns the c drive" (open Windows Explorer and right click the C drive then look at properties. On its security tab click on the Advanced button and then select the OWNER tab in the resulting window and tell us what it says)

I am curious about these things because a RECOVERY PARTITION placed on the drive by the manufacturer is often SYSTEM PROTECTED.

Windows 7 will remember the NumLock's last state, meaning that if you log out with the NumLock on, it will automatically turn on the next time you log in; If you log out with the NumLock off, it will be off the next time you log in.

You can easily join or create a homegroup if you aren't paying attention to what you are doing.

Which of the Diskpart COMMANDS (diskpart does not use switches) are not available that make you think that diskpart has been "compromised"? Read this page http://support.microsoft.com/kb/300415

From what you have described so far I seriously doubt any "hacker" but think you might not be real conversant with Windows.

Collapse -
its custom made
by lyfemare / November 15, 2012 2:34 AM PST
In reply to: Tell us more ...

ive had it about 2 years

its a gigabyte motherboard s-series h55m-s2v
gigabyte video ram.
there is no manufacturers partition as i had access to 500 gb when i first got it.
its running windows 7 32 bit (though i have more than 4 gb of physical ram installed)
i have access to an administrator account. but theres certain objects i cant access with it that are non vital.
i can run an admin privlidged cmd prompt but take own is not allowed. and previously i was asked for a password before acessing the c drive via cmd but no longer( i suspect he patched it)

i know the hacker owns the c drive because even though the appearance of my c drive is there. certain critical files are missing . and are non exsitant on my cpu. boot mgr boot ini ect have clones that dont do anything.

and when certain critical files have been moved or are in jepordy the numlock light goes on during boot. it hasnt nothing to do with its last state as i always shut it off.

and its the whole command prompt that is comprimised specifically cacls because obviously i could do alot with that.not just the diskpart program.

i really dont expect much help from you because youve just resorted to insulting my knowledge and havent offered much in a way of a solution. if youre so confident of your computer knowldge and my lack there off take me up on my offer of a remote connection.

also one last thing is iprenew/release and every other method results in the same ip address every time. thats a dead giveaway of a hacker.

Collapse -
Untrue.
by R. Proffitt Forum moderator / November 15, 2012 2:37 AM PST
In reply to: its custom made

"also one last thing is iprenew/release and every other method results in the same ip address every time. thats a dead giveaway of a hacker."

Sorry but that's untrue. My background includes writing router code back in the early 90's when routers were just coming out. I see a lot of folk want to help you out but it appears you have some per-conceived ideas that need to be worked out.

Some folk will take offense at such a comment and all you can do is wait for them to catch up or worse?
Bob

Collapse -
i guess you all know everything then and i dont.
by lyfemare / November 15, 2012 8:17 AM PST
In reply to: Untrue.

every person on here has said im wrong in one way or another yet i know an unchanging ipv4 address when i should have an ipv6 address tells me something is seriously wrong. everyone but one of the replies might has well of not been said. either they didnt know enough, or just accused me of something. i can garuntee you that anyone that knew front to back ruby programming would just get me to download a couple cookies and confirm most of what ive said to be true. im not an expert i grant that but do you really think a firewall helps with a computer that has been compromised and has a hidden encrypted partition? if your answers yes please dont respond. and if you do know ruby programming try my computer. it shouldnt be too challenging to crack for anyone that does know it. esspecially with a willing aid at the computer.

and what on earth do you really think iprenew and realase do if not allow you to get a new ip? just a fancy way of disconnecting from the internet? seriously.

Collapse -
Your choice what to do next.
by R. Proffitt Forum moderator / November 15, 2012 8:29 AM PST

You are at a point where you have to decide if you're right or if it's time to catch up with folk that are willing to help you along.

I know of no major ISP fielding ipv6 so that's news that you can bring to the discussion.

-> LOVE RUBY! Great stuff.

Now about the partition. GPARTED has let be blast away such things before but be careful as if you are running 7, it's new partitions have really sent some folk into a tailspin not unlike your discussion here.
Bob (mostly embedded computing, apps, CPU designer, assembler to ADA and beyond.)

Collapse -
alright then.
by lyfemare / November 15, 2012 3:45 PM PST

i also have something called trusted installer on my program. you can even google it, it has websites but i know its a foriegn program and what he uses to take control of my system. there are registry keys to treat some of its commands as "system" . could you tell me what you know about it? windows defender cannot start and actually has registry keys to delay its start.

you all seem to know so much why would that be. i look forward to your answers, well responses.

Collapse -
About TrustedInstaller. That's from Microsoft.
by R. Proffitt Forum moderator / November 16, 2012 12:48 AM PST
In reply to: alright then.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa382540%28v=vs.85%29.aspx and many other web pages. It is from Microsoft so if you want to think that's the hijacker then you're right. Microsoft OWNS this OS and those updates.

About the Defender issue. There's a lot of malware out there and many other reasons for it to fail. The clues are too sparse and you have been combative in your responses which has slowed any resolution to a crawl.

And now we are talking about TrustedInstaller, a Microsoft technology that you feel is something foreign when it's from Microsoft.

-> I'm guessing here that you don't care for Microsoft at this point. Did you want to discuss a move to Linux?
Bob
Collapse -
you know whats funny about that?
by lyfemare / November 16, 2012 5:34 AM PST

i have a clean computer used the same install disc that i dare not connect to my router or internet untill ive moved. and trusted installer is nowhere to be seen. maybe it comes in an update? lol but oh thats right i dont have those turned off but i get "updates" anyway. i really want to know why the other computer doesnt have trusted installer. i want to hear your answer. maybe it just comes in with my hard drive? i really hope you respond. and please be creative.

Collapse -
My answer is
by R. Proffitt Forum moderator / November 16, 2012 6:37 AM PST

I can't tell you exactly which update installs that. I am not a MSFT lacky but have written apps for many decades. Along the way you learn a little but in this discussion it's unclear what you want to hear. That is, if folk disagree or write an answer, even when it's clear that nothing is wildly wrong as we use this TrustedInstaller example.

Your thoughts about IP renewal are interesting to say the least.
Bob

Collapse -
i find you interesting as well
by lyfemare / November 16, 2012 10:01 AM PST
In reply to: My answer is

id like to know for what purpose microsoft added iprenew the name itself sorta implies a change and iprelease if not to give a different ip address. why are they there then? even my isp told me that it should have changed. but it never does. if you really think thats normal maybe you should be the one asking for advice and not me. all you have to go on is what i say and almost everyone has stated "thats normal dont worry about it" and i know a little more than ive been saying just to see what sort of advice was offered.

Collapse -
My background includes router code from
by R. Proffitt Forum moderator / November 16, 2012 10:32 AM PST

It was in the early 90's and our app then would hand out the same IP on a renew to the MAC address.

I see most DHCP servers do this today so why would you consider that incorrect behavior is something I don't understand. But then again, I was deep in router code long ago.

My advice is to not be as combative. Listen and learn.
Bob

Collapse -
Re: TrustedInstaller
by Kees_B Forum moderator / November 16, 2012 6:54 AM PST

Treesize Free says in the folder properties that TrustedInstaller is the owner of both my c:-drive, my Program Files folder and my c:\windows folder. And that's in an unhacked Windows 7 install.

Who else could be the owner, if these folders are made by the Windows 7 installer? Surely the installer trusts itself.

It's a free (and very useful) program (from JAM Software), so you don't have any excuse to not answer the question who's the owner of those three items on that "clean" computer of yours. My guess: it's TrustedInstaller!

Kees

Collapse -
you should have read more carefully.
by lyfemare / November 16, 2012 10:05 AM PST
In reply to: Re: TrustedInstaller

i have a clean system with the same install disc. and there is no trusted installer on it. it just simply isnt on there. even when i wipe this computer trusted installer comes back. why? when a system using the same disc it doesnt show up at all. kinda weird. and the other computer works just fine.

Collapse -
Re: trusted installer
by Kees_B Forum moderator / November 16, 2012 8:55 PM PST

You didn't answer my question, alas.

Since trusted installer is a part of Windows 7, it should be there. This is mine:
C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_93149d6fab68cf06\TrustedInstaller.exe
It's version 6.1.7601.17514, copyright by Microsoft, dated 20-11-2010.

And what's yours on that "clean" system?

I don't expect you to answer that question, by the way. You don't answer many questions. You only repeat your paranoid statements about a hacked system.
In my Nov 16 post below, I explained what you should to do go back to normal. But it seems you don't want to go back to normal. Apparently, you enjoy suffering being hacked. Well, best of luck and enjoy.

Kees

Collapse -
Agreed
by mchainmchain / November 17, 2012 2:33 AM PST
In reply to: Re: trusted installer

This post./thread was initiated on 11/12/2012. It is now 11/17/2012.

Noted that OP is still talking about original problems with no apparent progress, nor have replies been made to indicate such solutions has even been attempted to be applied.

Seems to have made a point of ignoring most questions asked by other users here as well.

Some just like to complain; some may actually have a hidden agenda. Think the latter applies here, as many responses by the OP have actually been defensive and combative, and not grateful and thankful for any assistance. About the only thing the OP got out of this was the introduction to R. Proffitt and you, and also your consequent display of IT knowledge and experience.

No work appears to have been done yet to the sick system as far as I can tell.

A major point of the OP was to have someone connect to his/her computer, even tho it was buried in the post, by a remote connection.

Wonder if anyone fell for that one yet? What, exactly, would one find on the system if one did that? And, what exactly were the OP's expectations to repair any problems found, and how could these problems be fixed any other way other than a clean install and/or replacing the motherboard and/or the hard drive?

These problems cannot be fixed remotely. They can only be fixed by the OP, and no one else.

I think it time to lock this thread unless the OP shows the necessary initiative to start resolving his/her problems.

Am unsubscribing to this thread irregardless. Seems a total waste of time.

Please lock this thread if, in your opinion, you share this view.

Collapse -
Well, you answered some ...
by Edward ODaniel / November 15, 2012 12:31 PM PST
In reply to: its custom made

of the questions asked but why not all? We are TRYING to understand your problem but YOU need to accept the help offered and respond to all the questions because we are not mind readers.

You keep saying that "the hacker owns the c drive" but you didn't follow up on the instructions to discover the actual OWNER.

We now know that this is a computer without a recovery partition but with Windows 7 you will have a small System Reserved partition at the beginning of the disk that serves two functions. First, it holds the Boot Manager code and the Boot Configuration Database. Second, it reserves space for the startup files required by the BitLocker Drive Encryption feature.

You mention "certain critical files are missing" but fail to name them so we don't know they are critical or even missing.

Now you are saying that the whole command prompt is "compromised" rather than just Diskpart which you initially claimed was the "compromised" command that I linked you to some instruction on its use. You say " its the whole command prompt that is comprimised specifically cacls because obviously i could do alot with that.not just the diskpart program" and again that makes me think you might not be familiar with Windows because cacls is a command and all the command possessor (the command prompt cmd.exe) does is run (process_ the command. Aren't you getting a nice little message to the effect that "NOTE: Cacls is now deprecated, please use Icacls." Additionally your syntax may be incorrect so this might be of help:
http://technet.microsoft.com/en-us/library/bb490872.aspx

Bob has already explained that getting a new lease on the same IP address is not significant of anything, much less any "dead giveaway" of someone hacking or cracking your computer.

Back to the numlock, although it is last state oriented it is possible that the registry key is not changing and that you may have to do that edit manually - since you really seem to want to complain rather than work through the assistance offered I will only suggest you look up windows 7 numlock registry entry (just enter the search term exactly as shown in the bolded text and there you are. If you really were concerned about fixing that rather than ranting, I would even point you to -
http://answers.microsoft.com/en-us/windows/forum/windows_7-hardware/windows-7-how-to-turn-off-numlock-at-the-logon/0feb11e6-bd9e-48fa-bbb3-84ff28d9c6fd

Collapse -
the recovery partition is not 50 gb for windows.
by lyfemare / November 15, 2012 3:55 PM PST

at any rate tell me what you know about a program called "trusted installer" its on my computer and has taken control of it. and runs every time i do a system wipe. is it normal im really looking forward to your response on that.

the cmd doesnt list all the switches or even commands when i type /?

some of the explainations are wrong or missing for some of the commands. and i meant Icacls.

he or they rather can even control which websites i can go to for help.even a false windows site.

Collapse -
Trusted Installer is a Microsoft service
by Edward ODaniel / November 17, 2012 6:05 AM PST

The Trusted Installer is a service named Windows Modules Installer. It handles Windows updates and optional components. If it is disabled, installations/uninstallations may not work. Trusted Installer is the 'owner' of most system files and registry entries.

More information here http://technet.microsoft.com/en-us/magazine/cc138011(TechNet.10).aspx

RE: "the cmd doesnt list all the switches or even commands when i type /?"
That is normal. It will only do so for the commands written to offer such help. For other commands try HELP name_of_command and for come others such as DISKPART you have to start the utility first then get the help screen because the /? switch only offers an abreviated:
/s <script> - Use a DiskPart script.
/? - Show this help screen.

Now if you were to type DISKPART then press the enter/return key to start DISKPART you could then type help to see the diskpart commands available to you for your use.

Regarding your belief that retaining the same IP address is some sort of confirmation of a "hacker" and your wondering about <b>"id like to know for what purpose microsoft added iprenew the name itself
sorta implies a change and iprelease if not to give a different ip
address. why are they there then? even my isp told me that it should
have changed. but it never does."</b> To start with there is no iprenew or iprelease - there are only renew or release switches for the ipconfig command. The switches are there so you can manually release and then renew an IP address should you be having address problems for some reason. If you are using the commands from a command prompt on your computer the commands are only working with your LOCAL network and affect ONLY your local IP addresses. If your router only has a few devices connected to it it is quite normal for your renewed address to be the same as the old one you just released. On the other hand if you disconnect your boradband modem or use dial-up services through a modem then it is the ISP's DNS Server that assigns the new IP address and with so many more connections it is common to receive a new address from the ISP. That 192.168.nnn.nnn address that you are so very worried about originates not with your ISP but with your router.

malware can be responsible for re-directs of your web browser and quite often are the result of some browser toolbar that you added - again, without evidence to the contrary which you have not produced your "problems" are NOT any "hacker" but simply your misunderstanding of how Windows and related elements such as IP address leases actually function.

I'll ask again for you to follow the guidance I previously offered for you to see and TELL US who the owner of your C: drive actually is since you claim it is this "hacker".

PS - READ the links offered to better understand things you have asked about and blamed on some "hacker". That is why we offer the links for your assistance.

<script> - Use a DiskPart script.
/? - Show this help screen.

If you enter the command DISKPART then press the enter/return key to start the utility you can then type help to see the commands available such as list and convert and select.

</script>

All Answers

Best Answer chosen by lyfemare

Collapse -
Major trojan infection
by mjd420nova / November 14, 2012 5:02 AM PST

The only other possiblity would be a RootKit or a FLASH virus. If you have the original disk, turn off the machine, remove the CMOS battery and WAIT thirty minutes. If the MOBO has a default jumper, install that for two minutes without the battery. As soon as you get a video or CPU BIOS screen, hit F1 or ESC to get into the BIOS and set the machine to boot from the CD/DVDd drive and insert the WIN disk. That should get you a complete clean, don't try to repair. All was lost before anyway and this will force the BIOS to unload from the firmwar chip and not a FLASH chip. That's one way for entry to be gained is by installing the virus in the flash BIOS. No matter how hard you try, it still reloads itself, even when wiped from the disk. A full reload should have cleaned out everything, including any hidden partitions.

Collapse -
thank you mjd420nova
by lyfemare / November 14, 2012 8:42 AM PST
In reply to: Major trojan infection

i think i understand just remove cmos battery for 30 mins and hit the cmos jumper? now if the rom were flashed by him there would be no way to reset things to factory defaults short of the hd factory disk?

Collapse -
Answer
Hacks??
by pgc3 / November 13, 2012 2:08 AM PST

You'd have to clarify "MY SYSTEM ISN'T REALLY MINE TO BEGIN WITH"

Collapse -
it isnt mine because i cant control it
by lyfemare / November 14, 2012 4:37 AM PST
In reply to: Hacks??

the hacker used true cypte i belive to create a hidden partition . im not very familiar with true crypt but im trying to learn it. is there any way to decryt a encrypted drive that used true crypt?

Collapse -
Answer
I can see you scared away folk.
by R. Proffitt Forum moderator / November 13, 2012 2:20 AM PST

Maybe all you need to add is a FIREWALL. I don't offer any help on selection and use but my opinion only. You need a firewall. That will lock them out.
Bob

Collapse -
Hacks etc.
by pgc3 / November 13, 2012 2:55 AM PST

Begs the question, who is hacking whom, alluding to my prior response.

Collapse -
im not a hacker.
by lyfemare / November 14, 2012 4:40 AM PST
In reply to: Hacks etc.

i can prove it and you can by allowing a remote connection. you can put whatever you want on the hidden partition to see if the hacker might even talk to you. he knows everything... but consider this. why would a owner of a system use a partition that is less than 50 gb on a 500 gb ssd and then allow me to use the larger one? youll also see all the critical files are on this small hidden partition if you dont believe me as well as logs of MY activity. not the other way around. just depends on how good you are with your computer. ruby knowledge would be a bonus as i dont believe he knows much beyond c# and i know almost nothing about it.

Collapse -
Sorry, I'll Pass
by mchainmchain / November 14, 2012 9:32 AM PST
In reply to: im not a hacker.

1.) You say you are hacked.
2.) You will allow a remote connection to your computer.
3.) Now we have a mutual linked connection to my computer.
4.) You say you have a problem. Who's to say differently until the connection is made? Maybe this is a booby-trap for the naive?
5.) You seem to think we can help you with your problem via a discussion on c|net forums.. Sorry, you've a bit of work to do and since the computer in question is in front of you and not us, really cannot help do the work you need to do.
6.) Then there is the issue that this computer is not really yours; you do not own it, nor did you buy it?

If # 6 applies, why not give it back to the rightful owner and let him/her deal with this? Or just toss it, since it is not yours? You may not own it, but you certainly have that option. Just say you gave it away.

Collapse -
look man
by lyfemare / November 15, 2012 2:20 AM PST
In reply to: Sorry, I'll Pass

supposing youre right. im some hacker or theif and ive broken into a computer. someone has given me a pretty good response already. why not instead of hindering any help ill get by clogging my forum with unhelpful junk you just say nothing?

you might be right some of the time when you accuse someone of hacking or less then honorable intentions. but instead of wasting your time on them try helping people you actually believe need it. and honestly anyone that knew anything about programming would quickly realize that im not an computer threat in any way. though my hacker might be.

Collapse -
Remote
by pgc3 / November 15, 2012 2:47 AM PST
In reply to: Sorry, I'll Pass

Mchain...as you said naive...no way in the western world would I do a remote under this circumstance..you'd have to be a brainless twit.

Collapse -
i should also mention
by lyfemare / November 15, 2012 5:46 AM PST
In reply to: Remote

he can controll the sites i have access to as well.

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

CNET's Tech Minute

Top 3 news reading apps

With the latest tech, getting news delivered to your phone is easier than ever. Here's a roundup of apps that are customizable and useful for getting the news.