should there be 10 running processes? (from drivers alone)

[Captain Kirk]

hey there hackapelite,

the first install did not "need" those +10 processes when i let window configure my network settings. i looked in the task manager.

the second install i used the intel driver utility to configure my network settings instead.

the +10 processes may be legit, but i still want to do an install where i let window configure my network settings instead of the intel driver utility (which i may have "disabled" last time) so that i don't need/have these +10 processes running.
i did everything the same between the first install and the second, except the let window configure my network settings part: both times i was the admin and there was only 1 account. i saw them in the task manager.

what do you mean by "system-wide processes"? how do i see these? i want to do this!!

no virus was detected. i want to block a hcker from having access to my computer.
"What is higher than you?"
when not on the internet, ram was 430 Mb
when on the internet, ram was 870 Mb
"Does it relate to this thread?"
if a hcker has a running process...

hi punk,
no, they may be legit,
but a hcker needs a running process to access your computer?

thanks, don't know much about linux. but i have installed it, some of them (2-3).

how're doing spirit?
take a look at all these pictures
http://s786.photobucket.com/user/Galaxlight2/library/Suspicious?sort=3&page=1

and then tell me:
"nobody is hcking you."

in 2 of these pictures, it will be quite obvious

--cAptain KIrk
UNknown

 

[johnb35]

Every one of those task manager photos shows way more than 10 running processes. You are way over worrying here.

 

[TrainTrackHack]

what do you mean by "system-wide processes"? how do i see these? i want to do this!!

In the process list, you can see some running under usernames like "SYSTEM" or "NETWORK SERVICE". They are not ordinary user accounts, and the processes may not be shown by default (I can't remember if they are on XP, they aren't on Vista and up for sure.) Anyway, no running processes = no running system, I have no idea what you did on your first install if you're sure that there were no such processes, but even 10+ is perfectly normal.

but a hcker needs a running process to access your computer?

Of course, but that statement amounts to as much as saying the computer needs to be turned on for the hacker to access it. You almost certainly won't be able to tell just by looking at the running processes.

and then tell me:

"nobody is hcking you."

in 2 of these pictures, it will be quite obvious

All I see is random screenshots of regedit and process list. What should I be looking for?

It's almost impossible for a hacker to just penetrate your computer from the internet if you're behind a broadband modem. If a hacker has gained access to your system it will be because you installed a dodgy piece of software or otherwise took actions to let them in. If someone were capable of installing malware over the internet on a fresh system without the user being tricked into doing it, they certainly are skilled enough to (1) hide it from the process list (2) not have it take conspicuous amounts of RAM.

If you're so worried, just re-install XP and all software without connecting to the internet. And then never connect it to the internet. Make a Linux live USB for everything you do online, never save sessions/user data, and make sure to checksum the USB stick every so often just to make sure nothing got modified.

 

[spirit]

how're doing spirit?
take a look at all these pictures
http://s786.photobucket.com/user/Galaxlight2/library/Suspicious?sort=3&page=1

and then tell me:
"nobody is hcking you."

in 2 of these pictures, it will be quite obvious

--cAptain KIrk
UNknown

OK, I've had a look at your screenshots.

What exactly makes you think that you're being hacked? The AsfIpMon.exe process which you highlight in one of your screenshots is just a Broadcorn ISP process, which you can choose to disable at startup (via msconfig) and it likely will never run again (see here http://www.bleepingcomputer.com/startups/AsfIpMon.exe-27180.html) it's harmless.

I'm sure you know what explorer.exe is and 23MB RAM usage is normal.

And svchost.exe is a Windows process, so it runs on every computer with Windows installed. It's a service host, you can read about it here: http://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/ Again, nothing to worry about.

The other screenshots are just random shots of the registry editor, the application data folder and the Windows(?) folder. It all looks perfectly normal to me. Can you pinpoint exactly what you think is 'suspicious' in each screenshot - because to me (and everybody else), it all looks perfectly normal. Which is a good thing, right?

What actually makes you think you're being hacked in the first place? I mean, is your computer behaving in a weird manner, are files 'suddenly' missing or being modified? Is anything being stolen?

Going by your screenshots, I can pretty much hand on heart say that you are not being hacked and that you really need to stop worrying about all of this. You're worrying over nothing.

 

[Captain Kirk]

hello johnb35, good to see you again

yes there are a lot of running process, but there were 10 less when i let windows configure my network settings. i didn't say there was TOTAL of 10, just +10 more than before...

i can't believe you guys didn't see this!!
http://s786.photobucket.com/user/Galaxlight2/library/Look?sort=3&page=1

i circled the culprit, on the pictures.
okay, i will post LESS pictures.
besides, like hackapelite said, you probably wouldn't be able to see a hcker's running anyways:
the ones you CAN see are legit, i guess? you looked at them all (there are 3 pictures on the task manager)

hackapelite, thanks for the reply.

i know there has to be running processes for the computer to run.

1st install: lots of running processes.
2nd install: same # of running processes, +10.

i didn't say that there were NO running processes.

"a hcker needs a running process to access your computer"
thanks for clarifying. now i'm starting to understand how this is done.
"You almost certainly won't be able to tell just by looking at the running processes."
i appreciate you telling me this: i am trying to figure out cyber security.

"If someone were capable of installing malware over the internet on a fresh system without the user being tricked into doing it, they certainly are skilled enough to (1) hide it from the process list (2) not have it take conspicuous amounts of RAM."
i didn't know this.

in order to install some of my software, i have to connect to the internet...

if i save data, such as a text file on "linux", can this text file, if transferred to windows, be read?
how do i "not save a session", if i have to set up the internet, etc (save settings and the like)?

spirit, how are you doing? its good to see you again!

yes, there is several strange things that happened that means by which "access" may have been gained:

*can your firewall be neutralized so that it temporarily turns off (is dissolved, or fizzled) long enough for them to get "in" (a new technique?)
1. my firewall, when online, displays an error, showing a blank grey box instead of the normal perfect picture
and then proceeds afterwards with a "script on page has stopped running error".
it asks the question: "do you want to continue running this page?"
"yes", "no".
if you click "yes", the question keeps repeating, no matter how many times you click "yes".
if you click "no", the question keeps repeating. the same box keeps reappearing for 3 times when you click "no" 3 times, and then the box disappears
*when i am NOT on the internet, there is NEVER this error message...
*it has only just recently started doing this error message after the circled "server" in the picture that i posted, appeared.
circled "server" in the picture that i posted
http://s786.photobucket.com/user/Galaxlight2/library/Look?sort=3&page=1

2. my computer has NEVER had bubble pop ups of "a java update is now available". when i clicked on the bubble to update java, it said
"it is unsigned" so it didn't update.

3. i gave someone my email address, but did not open any attachments or download any files from it. but i did open the actual email itself.

4. a new "server" has APPEARED on my computer, with "permission" to access. refer to the picture that i just posted.
i just looked under my computer settings and found that the "allow remote assistance invitations to be sent from this computer"
was clicked as "yes", it is turned on and "active".

--cAptain KIrk
UNknown

 

[TrainTrackHack]

i circled the culprit, on the pictures.

The SYSTEM user is a special account that Windows uses to run processes without any privilege restrictions, so of course it's got full control. This might be helpful. The story of RESTRICTED is similar, it's a built-in account for Windows' internal use. As for the "Unvanquished Develpment" registry entries, I still don't know what I'm meant to me looking for.

This lists the built-in accounts, if it's in there, you pretty much assume it's safe and you don't want to mess with their privileges unless you really, really know what you're doing.

Google says MFAData is used by AVG, if that's what you have installed, don't worry about it.

in order to install some of my software, i have to connect to the internet...

The advice was semi-serious; I wouldn't worry about getting hacked.

if i save data, such as a text file on "linux", can this text file, if transferred to windows, be read?

Of course.

how do i "not save a session", if i have to set up the internet, etc (save settings and the like)?

By not doing anything. Usually (I mean usually as in this is how all Live CD/DVDs that I know of work), your user directory is located on a RAM disk, so after you quit the Live CD session, all your user data is lost; it's only when you DO want to save anything that you need to take explicit action.

If you're behind a broadband routed and have not enabled port forwarding, a hacker intruding is practically impossible as long as you haven't installed any dodgy software that phones home. Question 1 is very incoherent and you seem to be mixing up your browser and firewall - what firewall do you have, and can you post the exact error? Screenshot maybe?

As for 2, well, Java updater does that. Good on you for not installing unsigned stuff, but it's perfectly normal for it not to notify you - I imagine you must have had automatic updates disabled before.

If you used webmail and did not use something like IE6, don't worry - the worst that's going to happen is you'll receive a lot of spam.

What server are you talking about?

EDIT: You mean the unvanquished thing? Here.

You've installed unvanquished? If so, you really shouldn't worry about related stuff showing up... one would expect that.

 

[Captain Kirk]

hackapelite hey there:good:

wow, hackapelite, i really appreciate you. thank you, thank you so much.
your great bro.

so with a live cd would be just as good as an install on a USB since your not going to save any sessions?

if you don't save any sessions, this means that everytime you want to go onto the internet, you have to install your security programs?

that's just it, i DIDN'T install the unvanquished program. i never had it before until now. how do i remove it?

thanks

--cAptain KIrk
UNknown

 

[TrainTrackHack]

so with a live cd would be just as good as an install on a USB since your not going to save any sessions?

Usually, installing on a USB does save your stuff. But you can prepare a Live USB (using something like unetbootin), which is exactly like a live CD/DVD, except, of course, it's a USB stick, not an optical disc; and by default, it won't save anything. Of course, you can just use a Live CD/DVD as well if you like - USB sticks just tend to be a lot faster at loading stuff.

if you don't save any sessions, this means that everytime you want to go onto the internet, you have to install your security programs?

You really don't need to install any security programs, all popular Live distros come with all security tools you need to browse the web already installed. But yes, all your user data and programs you install (if your live session even allows installing programs) will be gone when you shut down.

that's just it, i DIDN'T install the unvanquished program. i never had it before until now. how do i remove it?

No idea, look for it in add/remove programs? It's a game, someone must have installed it. The game itself is legit, though, so unless it was installed from a dodgy source, it should have an uninstaller and it definitely isn't involved in you being hacked. Dig around its folder in program files or somewhere?

 

[Captain Kirk]

hackapelite, thnks for the reply,

so a "game" installed a SERVER?
a server connects to the internet, right?

why would a "game" install its OWN pathway to access the internet besides the one that you always use?
this sounds suspicious to me.

over the course of years, i have installed hundreds of games (not on this hd), and NONE of them, even ones that had a "multiplayer" option or were for "multiplayer" only, NEVER installed its "own" server. its not just my opinion, or what i think, its from experience, because i have done this.

i have not installed a "game" called the "unvanquished". it was not in the add/remove list. there was not a program folder containing this program, in the program file list, or in the place where i install games, nor was there even a folder for it in the start menu list. and i could not find any file folder that contains it on the entire computer!! (with a "search" function). it is "hidden". "search is complete, there are no results to display". already, this is starting to get more and more suspicious by the minute.

--cAptain KIrk
UNknown

 

[TrainTrackHack]

No, a server is not for connecting to the internet; server is for someone (usually on the internet) to connect to your machine. However, according to the game wiki, it's a server browser and IRC client, not a server. Are you sure the game has never been installed? Even on the previous installation? Did you restore any backups or add stored registry keys yourself? The files may well not even exist on the machine, it looks like some settings left behind from a previous installation, as though the game was installed and then removed.

Do other people use the same machine?

 

[Captain Kirk]

hackapelite, great to hear from you

even IF it had been from installing a game, "unvanquished", which i didn't, the hundreds of other games that i have installed before have NEVER installed a server. in fact, no program that i have ever installed has installed a server. i Didn't restore any backups. i Didn't add stored registry keys myself. no one else uses this computer.

a toolbar can usually be removed in the add/remove programs, and "shows up" when you open your browser.
why would you need another browser when you already have one?
each game needs to install its own browser?
what is an IRC client?

i have installed a couple of programs that gave the option to ALSO install, at the same time, a toolbar; and that, if you read it carefully, and "uncheck" the box to install the additional toolbar, will NOT also install it. i have also installed 1 or 2 programs that installed a toolbar at the same time without me knowing it was doing so. but these are only "toolbars", not "servers" or "browsers".

a couple of games have asked to install a toolbar, but only like 3-4 at most. NONE of the games have also installed a "server" or "browser".

what is suspicious is that this "server" shows up in the "hide when inactive" section of the computer. and NO game that i have EVER installed, has done this!!!!!!!!
there should be NO reason why a game should show up in this location. i may not be an total expert at computers, but from years of experience, this has NEVER happened to me before.

a "server is for someone (usually on the internet) to connect to your machine."
how do you get to the location where the "hide when inactive" programs are on your computer?

*note: an "inactive", non running program would NOT show up in the "hide when inactive" section.

--cAptain KIrk
UNknown mYSTeRies

 

[TrainTrackHack]

even IF it had been from installing a game, "unvanquished", which i didn't, the hundreds of other games that i have installed before have NEVER installed a server. in fact, no program that i have ever installed has installed a server. i Didn't restore any backups. i Didn't add stored registry keys myself. no one else uses this computer.

a toolbar can usually be removed in the add/remove programs, and "shows up" when you open your browser.
why would you need another browser when you already have one?
each game needs to install its own browser?
what is an IRC client?

It is not a server, it's a server browser (and IRC client). A program that lists available servers for the game. IRC = internet relay chat, a kind of group chat thing on the internet. Although most games do in fact in fact install servers, you just wouldn't know because there may not be a dedicated binary (or they are well hidden); if you can host a multiplayer game (local or internet, does not matter), there is by definition a server running on your computer.

What toolbar/browser are you talking about?

what is suspicious is that this "server" shows up in the "hide when inactive" section of the computer.

a "server is for someone (usually on the internet) to connect to your machine."
how do you get to the location where the "hide when inactive" programs are on your computer?

*note: an "inactive", non running program would NOT show up in the "hide when inactive" section.

There is nothing suspicious about this. It's just talking about the system tray icon; by default, Windows hides them if they're not user/active (hides as in you have to click the little arrow to reveal them). Windows automatically marks them as "inactive" if they go unused, although I'm pretty sure programs can control their inactive/active status as well.

And programs not running do, in fact, show up there. Mind you, there is no "hide when inactive" section as such, it's just a setting; Windows remembers programs that have had an icon in the notification area, and hiding inactive programs just happens to be the default behaviour all programs. The entries will stay there even when the program stops running and often after even being removed. But, again, the "hide when inactive" setting only controls when the notification area icon is displayed (and it is default behaviour on Windows); it has nothing to do with hiding the program. You can change it to "Always show" (or whatever it's called) and the icon will be visible whenever the program is running.

 

[Captain Kirk]

hi ya hackapelite:good:

only some programs show up in the "hide when inactive" section, but no games do. sometimes the programs that are in the "hide when inactive" section are the same ones that are also in the control panel.
okay, so i just tested out your theory. i uninstalled one of my programs, rebooted, and then checked the "hide when inactive" section. yep, your right. that "inactive" and non running program is still there!! well all be danged

"What toolbar/browser are you talking about?"
in past years i have installed them and also chosen not to install them; however, this is something that has happened in the past and has not been done on this install.


so then maybe its just a coincidence then?
what does it mean when you are "HiJacked"?

--cAptain KIrk
UNknown mYSTeRies

 

[TrainTrackHack]

only some programs show up in the "hide when inactive" section, but no games do. sometimes the programs that are in the "hide when inactive" section are the same ones that are also in the control panel.

Yes; the programs in that list are programs that have had an icon in the notification area. Now, games themselves of course don't (there's no point), but it's very common for IRC clients (and other chat programs for that matter) to have a notification area icon, and the IRC client in this case is distinct from the game itself.

so then maybe its just a coincidence then?
what does it mean when you are "HiJacked"?

I would say so; based on what I've seen in this thread, at least, I have no reason to believe you're infected or anything. I'm not sure what you mean by hijacking, can you give some context? Browser hijacking is when a piece of software changes your browser settings (usually changing the search engine and home page), but that's the only kind of hijacking that I know of.

 

[Captain Kirk]

how are you t'day hackapelite?

yes, that's what i had heard too.
apparently there seems to be another kind.
i didn't know that "HiJacking" can't be detected by normal virus detection methods.
meaning that "HiJacking" is effectively INVISIBLE and is usually not even detected because it is NOT a virus, only a browser/irc client.
an open doorway to your computer.

"I have no reason to believe you're infected or anything."
yea, that's what i thought too. i ran my security program 4 times and it NEVER "detected" anything. so obviously i had nothing to worry about. though there was some fishy business going on that looked suspicious. it was "unusual" and i had NEVER seen this type of this before. i am not a total expert, but have some experience and know a thing or too. "something" was going on -- i just couldn't pinpoint it, or put my finger on it

so i looked in the task manager and examined the running processes. i looked for anything out of place. later, i learned that sometimes a process by the "same" name can be running, except that it is not the same process/running process at all, but a completely different program. the ones listed as my computer name, under "user name" looked alright. then i looked at the rest. i think the ones that say "system" are okay. now the rest: now here's what might be strange -- some processes are listed as "local service" and then others are listed as "network service". this sounds out of place maybe.

"I'm not sure what you mean by hijacking, can you give some context? "
i then used a different kind of security program and found something. it was located in the registry.
1. it was embedded in the system restore
2. a malcious security detected file, "pum.hiJack.startmenu"

just like i said, the "hide when inactive" is in the start menu option in the control panel, a start menu function.
it was a start menu HiJack. never heard of it either. i think it is new.

even other experts like johnmb, spirit, stars, nor anybody else could see it either.

--cAptain KIrk
UNknown mYSTeRies

 

[spirit]

Kirk, if you're sure that something odd is definitely going on, just reformat and reinstall Windows and be done with it.

 

[TrainTrackHack]

Apparently, that particular hijack is a malwarebytes detection; it simply refers to a start menu setting that is often misused by malware. However, of course it can't tell if the settings was changed by you or a legitimate program rather than malware. Like you said, hijacks of this sort can't be detected by normal virus detection methods because they're not viruses, malware; they're usually maliciously changed settings. If a malicious program changes your browser's home page, it's said to be hijacked, but there is nothing malicious about having a changed home page in itself. Also, there hijacks definitely have been around for a while.

However, start menu hijacks aren't open doorways (or any kind of doorways for that matter) to your computer, so that's not what you need to worry about. What you do need to worry about, though, is whatever did the hijacking, if it indeed was a malicious program... if none of your programs detected anything, I wouldn't worry too much, but somehow it got on your computer in the first place.

now the rest: now here's what might be strange -- some processes are listed as "local service" and then others are listed as "network service". this sounds out of place maybe.

No, they're definitely alright. Also, bear in mind that unless you use admin as your normal account, no malware/virus can run under these accounts - ordinary user accounts simply don't have the privileges to launch programs under these names.

Which reminds me: you're not using admin as your normal account, are you? If you are, you really need to stop, especially when you're as worried about security as you are, and create yourself a normal user account. If you use administrator as your regular login, you might as well assume that you either are or are soon going to be infected.

even other experts like johnmb, spirit, stars, nor anybody else could see it either.

I don't think that's fair on them - one couldn't possibly tell from the screenshots or things you posted before.

 

[DMGrier]

Kirk, if you're sure that something odd is definitely going on, just reformat and reinstall Windows and be done with it.

+1,
Just reinstall man, make your life easier. Honestly as long as this thread has been going you could have reinstalled Windows and fully configured and would still have time left over.

Honestly if you are this worried about your security do the reinstall, if you have the right version of Windows use Bit Locker and encrypt your drive and if your version does not I am sure these fine Windows users can recommend one. Run a good AV and Malware with active protection and dump Microsofts Firewall for one a little more worthy.

Honestly though I think your just suffering from paranoia.

 

[Captain Kirk]

spirit hi,

there are lots of security programs that can "detect" a problem, but what things can i do to prevent it?
otherwise, even with the reformat, it will happen again...

hackapelite hello here,

"If a malicious program changes your browser's home page, it's said to be hijacked, but there is nothing malicious about having a changed home page in itself. Also, there hijacks definitely have been around for a while."
then it must be "new", an advanced level hcker...
because my home page has NOT been changing. it is an OPEN doorway access to my computer for a hcker to do what ever they want.

"it indeed was a malicious program...if none of your programs detected anything"
a security program detected it.

"create yourself a normal user account."
i only have 1 account on the computer.

"If you use administrator as your regular login, you might as well assume that you either are or are soon going to be infected."
how?

what is the difference between a "normal account" and an admin? they are the same thing...

hi there DMGrier,

"and would still have time left over" to be hcked again:good: if i don't figure out how they got in and prevent the means by to do so, it is simple --
they will do so again. you don't have to be that smart to figure that one out

"Honestly though I think your just suffering from paranoia."
pum.hiJack.startmenu

--cAptain KIrk
UNknown mYSTeRies

 

[spirit]

The computer is only as safe as its user, so what you need is a good anti-virus and a bit of common sense. Don't go to dodgy websites or install dodgy software and you will be fine.

But I still don't think you're being hacked. I think you're worried about nothing.