RE:  The malware is not on the system - it IS the system.

I have been battling for months with a type of malware that does not show up on any scan, but it disables AV softwares.  So far, Norton 360 is the only AV that was not shut down, but it still does not detect anything wrong.  This malware, I call HarlanHugo Hack, infected my computer as a device driver.  Then it conducted over 300 "Windows Updates" from it's own proxy server. It appears that it is a counterfeit windows, with re-engineered system files that pass every test.

1. Everything "looks" like normal Windows 7 to the casual observer,
2. My computer is in Spanish, hacked system files are in English- this includes the WindowsUpdate.log,
3. My computer was definitely infected by a device driver, and I need help locating it. And I repeat, Everything looks like normal Windows 7,
4. My Servicios de Escritorio remoto (Remote Desktop Service) keeps being reset to Automatico by some part of the system, after I DISABLE it time and time again.
5. There are 8 WAN Miniports that I did not install.! Where do I look to find out how my IP Address changes by itself, I suppose to connect to the proxy where it is getting it's Windows Updates?
6. UDP IPv6 requests are being recorded by Norton Firewall, even though IPv6 was disabled from the adapter.

Help me, please.  I have run all the Norton scans that show nothing.

---

fyzzx4phun wrote:

RE:  The malware is not on the system - it IS the system.

 

I have been battling for months with a type of malware that does not show up on any scan, but it disables AV softwares.  So far, Norton 360 is the only AV that was not shut down, but it still does not detect anything wrong.  This malware, I call HarlanHugo Hack, infected my computer as a device driver.  Then it conducted over 300 "Windows Updates" from it's own proxy server. It appears that it is a counterfeit windows, with re-engineered system files that pass every test.

 

1. Everything "looks" like normal Windows 7 to the casual observer,
2. My computer is in Spanish, hacked system files are in English- this includes the WindowsUpdate.log,
3. My computer was definitely infected by a device driver, and I need help locating it. And I repeat, Everything looks like normal Windows 7,
4. My Servicios de Escritorio remoto (Remote Desktop Service) keeps being reset to Automatico by some part of the system, after I DISABLE it time and time again.  N360 will try and turn this service on because of the Terminal Services.  You can still block REMOTE INCOMING access manually.
5. There are 8 WAN Miniports that I did not install.! Where do I look to find out how my IP Address changes by itself, I suppose to connect to the proxy where it is getting it's Windows Updates? How do you know the IP is changing from the system side and not from your ISP service / router side?  What addresses (or range of addresses) are you seeing?
6. UDP IPv6 requests are being recorded by Norton Firewall, even though IPv6 was disabled from the adapter. Do you have the 'Automatic Learn IPv6 NAT Traversal Traffic' option in the N360 Smart Firewall turned on?

 

Help me, please.  I have run all the Norton scans that show nothing.

---

Are you still running ZoneAlarm and N360 together?

Do you have the 'Automatic Learn IPv6 NAT Traversal Traffic' option in the N360 Smart Firewall turned on?  - I have Automatic Program Control Off, and the Automatic Learn is grayed out in the On position.

I was dealing with the remote desktop enabling itself long before I bought Norton 360.  Yes I am using ZoneAlarm with N360.

Here is a screen capture of the restore points the system is putting in on a regular basis, while it "configures" programs.  Automatic Updates is set to Never.

RE:  The malware is not on the system - it IS the system.

I have been battling for months with a type of malware that does not show up on any scan, but it disables AV softwares.  So far, Norton 360 is the only AV that was not shut down, but it still does not detect anything wrong.  This malware, I call HarlanHugo Hack, infected my computer as a device driver.  Then it conducted over 300 "Windows Updates" from it's own proxy server. It appears that it is a counterfeit windows, with re-engineered system files that pass every test.

1. Everything "looks" like normal Windows 7 to the casual observer,
2. My computer is in Spanish, hacked system files are in English- this includes the WindowsUpdate.log,
3. My computer was definitely infected by a device driver, and I need help locating it. And I repeat, Everything looks like normal Windows 7,
4. My Servicios de Escritorio remoto (Remote Desktop Service) keeps being reset to Automatico by some part of the system, after I DISABLE it time and time again.
5. There are 8 WAN Miniports that I did not install.! Where do I look to find out how my IP Address changes by itself, I suppose to connect to the proxy where it is getting it's Windows Updates?
6. UDP IPv6 requests are being recorded by Norton Firewall, even though IPv6 was disabled from the adapter.

Help me, please.  I have run all the Norton scans that show nothing.

Category: Scan Results
Date & Time,Risk,Activity,Status,Task Name,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
12/22/2011 10:10 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:47,"6,709","1,254",181,"4,700",25,549,0,0,0,0,0
12/22/2011 7:00 AM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:02:37,"6,224","1,159",184,"4,307",25,549,0,0,0,0,0
12/21/2011 12:20 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:48,"5,775","1,081",171,"3,949",25,549,0,0,0,0,0
12/20/2011 1:09 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:25,"5,896","1,079",175,"4,068",25,549,0,0,0,0,0
12/20/2011 5:15 AM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:03:04,"6,142","1,097",171,"4,300",25,549,0,0,0,0,0


Category: Firewall - Network and Connections
Date & Time,Risk,Activity,Status,Recommended Action,Category,Gateway Physical Address,Subnet Identifier
12/23/2011 2:42 PM,Info,"IP address has disappeared from adapter Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) and is no longer being protected (IP address: 169.254.165.52).",Detected,No Action Required,Firewall - Network and Connections,,
12/23/2011 2:42 PM,Info,Connected to a protected network. (00 B0 6C 07 0F A3),Protected,No Action Required,,00 B0 6C 07 0F A3,
12/23/2011 2:41 PM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 201.206.012.345).",Detected,No Action Required,Firewall - Network and Connections,,
12/23/2011 2:41 PM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 169.254.165.52).",Detected,No Action Required,Firewall - Network and Connections,,
12/23/2011 2:37 PM,Info,Connected to a protected network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,127.0.0.0/255.0.0.0
12/23/2011 2:37 PM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: 127.0.0.1).",Detected,No Action Required,Firewall - Network and Connections,,
12/23/2011 1:57 PM,Info,Connected to a protected network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,127.0.0.0/255.0.0.0


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Program Name,Program Path,Default Action,Action Taken,Local Computer,Traffic Description,Category,Unrecognized Module

12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,
12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,
12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,

---

fyzzx4phun wrote:

Category: Scan Results
Date & Time,Risk,Activity,Status,Task Name,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
12/22/2011 10:10 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:47,"6,709","1,254",181,"4,700",25,549,0,0,0,0,0
12/22/2011 7:00 AM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:02:37,"6,224","1,159",184,"4,307",25,549,0,0,0,0,0
12/21/2011 12:20 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:48,"5,775","1,081",171,"3,949",25,549,0,0,0,0,0
12/20/2011 1:09 PM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:01:25,"5,896","1,079",175,"4,068",25,549,0,0,0,0,0
12/20/2011 5:15 AM,Info,Idle Quick Scan results,Completed,Idle Quick Scan,0:00:03:04,"6,142","1,097",171,"4,300",25,549,0,0,0,0,0
 Your system has continual clean scans; no malicous files or processes detected at all.

Category: Firewall - Network and Connections
Date & Time,Risk,Activity,Status,Recommended Action,Category,Gateway Physical Address,Subnet Identifier
12/23/2011 2:42 PM,Info,"IP address has disappeared from adapter Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) and is no longer being protected (IP address: 169.254.165.52).",Detected,No Action Required,Firewall - Network and Connections,, Your network adapter has lost its connection to the router and is assigned this static PRIVATE (known only to your system) address.  This is an automatic feature of Win7 and poses no risk to your security.
12/23/2011 2:42 PM,Info,Connected to a protected network. (00 B0 6C 07 0F A3),Protected,No Action Required,,00 B0 6C 07 0F A3, Please check the MAC ID of your router or your computer's network adapter.
12/23/2011 2:41 PM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 201.206.012.345).",Detected,No Action Required,Firewall - Network and Connections,, This is where your network adapter has connected and joined your local network run by your router; the DHCP server in your router assigned this address to your network adapter so it can communicate on the local network.
12/23/2011 2:41 PM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 169.254.165.52).",Detected,No Action Required,Firewall - Network and Connections,, Again, this is a Automatic PRIVATE network address feature of Win7.  When the network adapter is powered and functional (no driver errors), then Win7 will assign this PRIVATE INTERNAL address to the network adpater for use by your system only.  No network traffic physically leaves your system using this address or connection.
12/23/2011 2:37 PM,Info,Connected to a protected network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,127.0.0.0/255.0.0.0
12/23/2011 2:37 PM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: 127.0.0.1).",Detected,No Action Required,Firewall - Network and Connections,,
12/23/2011 1:57 PM,Info,Connected to a protected network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,127.0.0.0/255.0.0.0
 'Software Loopback Interface 1' is a Win7 internal name for a local machine loopback connection (traffic is going from your machine to your machine).  Seperate from Localhost but the same useage.

 

All these firewall log entries are just N360 telling you that it has monitored your network, it has changed and N360 is aware of it.  There are nothing here out of the ordinary; no malicous activities on the firewall.

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Program Name,Program Path,Default Action,Action Taken,Local Computer,Traffic Description,Category,Unrecognized Module

12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,
12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,
12/23/2011 2:50 PM,Info,"Rule \"Default Block NetBIOS Name\" blocked (201.206.012.255, Port (137) ).  Outbound UDP packet. ",Detected,No Action Required,,,,,,,Firewall - Activities,

---

As to the Block NetBIOS Name log enteries, your system is trying to follow standard Win7 network rules by broadcasting to every device on the local network its (your computer's) network name and availability should any other local network device wish to communicate to your computer.  The '.255' in the network address means that this is a broadcast message not directed to any one specific device or system but to all other devices on the local network.  The first three groups of numbers in the address are specific to your local network since your router / gateway is most likely configured for 255.255.255.0 .  You can check the settings on your network adapter by right clicking on the network icon on the task tray and selecting 'Open Network and Sharing Center'; then click on the network adapter link in the upper right hand portion of the Network Center.

As to the 'mystery' updates on your Win7 Starter system, after reading your logs (both here and on other forums) I wonder if the laptop OEM could possibly shed some light on this situation?  Could it possibily be that the OEM included third party software to 'fill in the gaps' that the Win7 Starter OS does not include?  (I know that Vista Home Basic [for example] did not include the ability to run Windows Media Player and several OEMs included third party software to provide that function.)  This would explain the 'mystery' updates as the OEM provided software would get updated whenever you first start using the system.

I sincerely wish that all these events could be explained so easily.  This is my 3rd laptop.  The first one, Windows 7 Home Premium, I troubleshot down to the BIOS.  The next laptop, I used Ubuntu Linux and when it went to sleep, it never woke up.  Everybody said to just leave it alone and get ANOTHER computer.  I am in Costa Rica.  I got a 600 dollar laptop locally that is only half the power of my original which was 400 dollars in the States.  My original Windows 7 laptop was awesome and I had no complaints for over a year.

I connected this Spanish computer to my router, and it loaded an Unknown Device.  Then it started giving me grief like my previous laptop.  Windows close out when I am trying to upload evidence.  I am all alone right now and if somebody would invite me to look at this f ki9ng thing,  and how these hackers are harrassing me to no end,, I  would be eternally gratefu.

I changed the camera prefs to a different resolution and rebooted.  The resolution was different before I even logged in again.

Why does homegroup insist on enabling even though I don't want it?  Why does Remote Assistance enable after I disable?  These things are pissing me off.  Not to mention that I certainly don't want file sharing allowed in my firewall, and when I delete it, it gets reestablished.  And what about the rules that get automatically entered into Norton to allow every protcol in the book AND they are all read only and i can't edit or delete them.  And what about how every AV gets shut down???????

And I could go on and on with the stuff that gets automatically entered, and deleted, and controlled.  That was before Norton was installed.  Now it's supposed to be normal Windows 7 behavior?  argh

, Your network adapter has lost its connection to the router and is assigned this static PRIVATE (known only to your system) address.  This is an automatic feature of Win7 and poses no risk to your security.
12/23/2011 2:42 PM,Info,Connected to a protected network. (00 B0 6C 07 0F A3),Protected,No Action Required,,00 B0 6C 07 0F A3, Please check the MAC ID of your router or your computer's network adapter.
12/23/2011 2:41 PM,Info,"Protecting your connection to a newly detected network on adapter \"Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)\" (IP address: 201.206.012.345).",Detected,No Action Required,Firewall - Network and Connections,, This is where your network adapter has connected and joined your local network run by your router; the DHCP server in your router assigned this address to your network adapter so it can communicate on the local network.

My adapter already has a static IP address that I assigned, as well as the DNS entries.  It is not DHCP

Sorry about not noticing this earlier but how do you assign an IP address of 345?  (201.206.012.345)

Also, the ultimate control account on your system is the SYSTEM account, not the Administrator.  Have you checked the Security Policy for that?

I did not want to post the real address so I changed the last 6 to 012.345

Hackers have now deleted my norton logs which showed the ip address flipping on a regular basis multiple times a day for months.  Right after I downloaded Microsoft Network Monitor 3.4 an hour ago, the address stopped changing - or at least it's not being recorded any more.

Every time I address some "mistake" on their part, they change it.  They are getting better and better because I don't know how to get to the root of the issue and their is no tool to discover them and I am alerting them to their vulnerabilities.

I need someone expert and professional to take this computer and troubleshoot it correctly, and decompile the system files or whatever it takes.

Have you tried running Norton Power Eraser ? If that doesn't work, try Malaware Bytes.  It seems to catch a lot of stuff. And keep Zone Alarm on.

I doubt these are normal Win 7 behavior.  Please refer me to some analysts so they can see this counterfeit windows.  The hackers installed undetectable malware today to shutdown Norton

English DEFAULT USER on my Spanish computer:

A regular scan did not detect anything wrong because it must skip files that say they are Microsoft signed.  BUT, when I copied this file from System 32 to the desktop, it was detected...finally!  :-) 

I appear to be the beta tester of this OS?  Can the Norton Lab help?  How do I get in touch with them?  I sent this rasman.dll, but that is only one of many files.