I am posting this here as my Laptop has been turned into a Windows server without my consnet. I do have Group Policy setup but I have no control over the contents. I need help with a serious hacker issue. Someone, somehow has complete control over my system. I have a Dell Vostro V13 laptop running Windows 7 Home Premium 64bit. Memory is 4 GB DDR301333MHz SDRAM, 1DIMM with Intel Core Processor ULV i30380UM (3M Cache, 1.33GHz, 800MHz FSB). It has a 500GB SATA Hard Drive. This issue has been going on for some time now (possibly up to 1 year) but it has gotten much worse as time has gone on and the hacker(s) have gained more control over my system. This actually started on a previous laptop I had. The hackers have turned my machine into a server and are using it to either play games or to resell bootlegged software and or maybe to gain personal information on me. Not entirely certain of their motives but it has caused me many, many problems. At one point I found a reference to allowing up to 100 client connections into my new Dell server. Here are some of the odd things I see. My OS Build Version shows 6.1.7600 Build 7600. When I run the Dell diagnostics utility is show something in the 4,000 range. This is the same build version I showed on my previous Laptop but it had the Home Starter Windows Package loaded. My boot device is \device\Harddiskvolume1. I don´t know if this is strange or not. My hard disk is 0. I have been placed into a domain and do not have complete administrative control over my system. I have admin rights but the domain server admin has more rights than I do and this person is the hacker. Installed Physical Memory is 4GB Total Physical Memory is 3.8GB. I believe the hacker has used some of my memory allocation to reside their malicious software. Available Physical Memory is 3.35. This is after a safe boot load. Total Virtual Memory is 7.6 GB. I have tried to uninstall the virtual memory but it keeps coming back. Available Virtual Memory 7.14. Page File Space 3.8GB. I have tried to delete the page file but I can´t. I also have what is called a hiberfil.sys file on my system and this is currently 4GB in size and I can not delete it. Page File c:\pagefile.sys I am now fairly convinced my problem is somewhere in the memory. I think a Ramdrive or Ramdisk loads at boot. I have a 500GB hard drive but I can only see 465BG. The remaining disk space is reserved for a X: drive that I can only see and navigate to when I get into a System Restore mode and get into the command prompt. Once I get into the z: drive I can see all sorts of files that I do not believe belong there. I have attempted to remove the files but they all recover at my next boot. I have even seen them recreate themselves before my very eyes after I deleted them. I can´t delete every file. Many are protected and I do not have the sufficient admin rights to delete them nor can I can gain those rights. I have tried to reformat the z: drive but I have been unsuccessful. I get a write protected error I have however been able to format the c: drive but this did not resolve the problem. I have now reloaded the OS over 20 times in the past month and this is now becoming clear that it will never solve my problem. When I run the set command from the c: drive many of the settings are different than when I run that command from the z: drive. As an example the Computer Name is different. It is as if I have two computer´s and two OS ´running at the same time. One for the Domain Administrator (i.e, hacker) with complete control and one for me which allows the hacker to see everything I do and to prevent me from gaining access to my own machine. I believe the hacker has a system image and has a CDROM capable reboot. I do not have the technical knowledge to understand how this all works but I do now this person is accessing my system at blinding speeds. He or she is somehow contacted every time I gain network access as the moment I get online they are in my system. I have tried to prevent this via the firewall but last night the hacker just deleted my firewall. They also took over my USB dongle I was using for Internet access. They change the PIN on one of my SIM Chips which prevented me from accessing the service. I had another SIM Chip with a PIN already programmed into it and they just modified the USB software to disallow the use of a PIN. I watched as this person had internet access via my system and I was denied access somehow. One thing that I am preplexed about is how this hacker is gaining access to my Laptop. They seem to be able to access it even when I am not connected to the internet. I have found hidden files that are called hiddenpbx. I do not know if this is a back door or not. I delete the files but they always come back. When I look at my memory resources I see IRQ 81 to IRQ 190 reserved for a device called Microsoft ACPI Compliant System. This seems odd to me. This is a lot of upper memory reserved for something. All my Dell devices that came reinstalled have been replaced with some generic devices of unknown origin or these so called Microsoft Compliant Devices. Every time I reinstall the devices they last a day and then are replaced. Every time I reload the OS I run across strange log files that reference this x: drive. It appears as if the OS is actually being reloaded with some bogus or bootlegged OS vs the being loaded from the OS CD Dell sent to me. There is all sorts of information I can provide, but I am not certain what would be most beneficial. I need to leave this up to the experts. So if someone could raise their hand and give me some help I would appreciate. I know someone out there in cyberspace can fix this problem without too much sweat, but I do know this issue has gone on for some time now and this hacker now has complete control over my system. I understand it may take some time to undo what this person or these people have spent many hours creating, but I need my system back. I would be willing to offer some sort of compensation to the person who can get my system back into my hands. I do not have much money but I will certainly offer what is deemed fair in this situation. I am at the point where I just want to throw this Laptop into the thrash can. I can´t spend a lot of time speculating as to what may be the problem. I need to know what the problem is and to have it fixed. I currently am not using that machine to access the internet or to send this Post. I have to use an Internet Cafe so my access to the internet is much more restricted. Thanks in advance for any help someone my be able to provide.

Sorry to hear of your plight, at this point it may be wise to seek out a IT guru local to you, take him your laptop and a new un opened USB hard disk. As him to recover your documents and files, and tell him your infected or exploited with malware so he can take action to pro-activly scan your system prior to saving your files. At that point I would format the system completely with a fresh install, turn up MS security essentials, enable the firewall, and start an active backup process once your done rebuilding your laptop. Something does sound off with your system. On the bright side, your not in a completley unrecoverable situation since you still maintain access to your system.:P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

Thanks for your reply. I have takn¿en my laptop into a repair shop 4 times now. They were not the Guru´s I hoped for. I have nothing on my system that is needed. No documents or files needed. The problem is the fresh install. If I have something hidden in memory I do not believe a fresh install will solve the problem. That memory block allocation needs to be removed. I think I can do it via the device manager but I do not want to make a mistake.

Oh and by the way - this is not malware or a virus. This is old Microsoft device software that has been loaded onto my machine. Virus and malware scans turn up nothing. It looks like legit software as it is. It is just old and highly vunerable to security issues. I have Microsoft device software from 1996 on my laptop. This seems a bit old to me but maybe I am wrong. It is this combination of old technolgy and new technology that is so problamatic. They have complete control over my system and know one knows how to find it and rid my machine of it.

Here's what I'm thinking, but I'm not completely familiar with current hacking trends... First, they can NEVER get to your machine if you're not connected online. So the $60,000 question would be, what ISP do you use? You don't necessarily need to publish it here, but the next question would be, do you have a static IP address? If it's not static, then it seems unlikely that they can "track" you from across the web somewhere. So the next question is then, are you working off a wireless LAN? If you are, I do know there are numerous hacking aids for determining someone's wireless key and gaining access to their WiFi networks. It would also make sense because they are close by and can tell much better what may have changed (if anything), as opposed to criss-crossing the network over obscure IP connections. If you are wireless, my suggestion is to go cabled. In order to hack into a cabled system, one has to have physical access to the cable. That's a lot tougher hill to climb than capturing someone's radio waves. You could also change your WLAN key (go with the most secure available on your router/modem) as well as your SSID, then turn off the broadcast of that SSID. If no one knows it and can't see it being broadcast over the waves, they can't know what it's called and can't hack it (I think. lol). Finally, I would also suggest that you can indeed wipe your machine such that any hidden programs or files would be lost, for all intents and purposes. Unless someone has physical access to your machine, when you repartition a drive, even though the files are still buried on the disk, there's no way to remotely "wake up" a "sleeper cell" of program code or whatever that I know of. Oh BTW. I just read recently about something like this in Michigan or something. A man was arrested for making his neighbor's life hell. He set up a social networking site in the neighbors name, sent uncomplimentary emails to important people from the neighbors computer, and generally wreaked havoc with his digital life. It was like out of a bad movie. But he did get caught. Perhaps you might involve the authorites? I wish you all the best. Take assessment of how you think they might be getting access, and take some counter-hacking steps to foil them... I sure hope this is helpful to you and wish you all the best... Cheers, Noel Stanford Oveson jeremyNLSO CNE, CLSE, MCSE, MCTS, MCITP Berlin, Germany

I have not encounterd any rootkits or exploits that have survived a complete hardware wipe of a system, a low level format of a machine is where to start, installation of windows 7, and then applying updates and patches, installing the MS security essentials, and enabling the firewall. Do not re-install copies of software a buddy gave you. I would not take it to say "a mega chain store with funny cars" and expect miracles, I would look at local repair techs near where you live, who actually have experiance with this. I would also pro-activly run scans against any USB thumb drives or hard disks that you might co-mingle with other divices.:P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

Thanks for the reply. I thought the same as you with regards to the NEVER get to your machine if not online. I do not think that is true anymore. Apparently these people are using sometype of Bluetooth technolgy to access the system. At least this is what I think. I just found an active USB Device Hub that said it was good for 6 BT connections. I deleted that. My system is hosed. Anyway, to answer your question. I use a varity of ISP´s. In my home I have Telnor. They are the local telephone company in Baja California as that is where I live. It is ADSL service. I can tell you for a fact they are not very secure and I believe they were the start of my problems. I stopped using the WiFi from the Router they gave me, but that did not help. I also use Telcel wireless USB access and TMobile USB access. It does not seem to matter who I use anymore. My system calls home to the hackers whenever I get online from any ISP and then they have my new IP address. This seems fairly secure once I get into the network but these people had access to my computer before I could even access the network. I do not have a static IP address. Although at time it looks like I do becasue these hackers have done some funny things with my IP routing tables. I did everything else you mentioned many times over. I thought I was secure by doing those things and then I noticed these hackers had been in my system and using my IP access the entire time. Since they are riding on a partitition and have access to my desktop they can gain access to the Wifi even if it is not broadcasting. They only need the code and that is easily obtainable if they have access to my ISP access information. BTW-I do believe my problems also started with a neighbor. He used the WiFi signal and Microsoft Easy Transfer to begin this nightmare. While I could give a hoot if someone posted shit about me on the Internet, this person has still made my life a living nightmare and it is also a bad movie.

The truth is I would feel better taking it to the big guys versus a small mom and pop. I took it to the mom and pop 4 times (2 different) stores and they did not have a clue. Now I am certain this would not be true with all the mom and pops but at least the big guys may have the resouces to help out a little more. I am not an expert on this but I was reading that if I am just a user on párt of a domain the administrator of that domain can have an image ROM and reimage any and all computers that are part of that domain AND with the right software this can be done remotely. True or not. If true, then your statement may still be correct but thus far I have not been able to make it work with the primary reason being that x: drive is write'protected and so are most of the files that reside on that drive. I do not know how to unprotect the disk or the files from that drive. I can only use DOS or WIN32 commands from that drive. I do not have access to windows as far as I know. Your instructions are basically what I have been trying to do. So - anyone know what command to unprotect a drive and the or the files within the drive. I tried using the attrib and takeown command without success.

Hi Michael, I understand you current situation. However, generally speaking, it is recommend that you have a reinstallation or restore the computer from a previous backup if you think there is a hacker/virus issue on your computer. By the way, for the virus issue, visit the Microsoft Virus Solution and Security Center for resources and tools to keep your PC safe and healthy. If you are having issues with installing the update itself, visit Support for Microsoft Update for resources and tools to keep your PC updated with the latest updates. . Also, you can check Microsoft Security and Privacy Web site at: http://www.microsoft.com/security/ Best Regards, Vincent Hu

Hey Vince- I have the same problem but on 2 Dell laptops. It's also affecting every cell phone in my house now. As I type this, I have been closed out repeatedly. A clean install won't do it. I've had 4 new hard drives (2 per laptop), a new memory, battery and motherboard in one of them.. and countless clean installls. The first thing I did was call Microsoft PC safety and was pretty much ridiculed when I said a clean install did not fix the problem. They are all about the "scan results". Well Vince, I've looked at every file on both laptops - through the registry keys. All of the files of my laptops are locked. - And here's the deal, the hard drives (each with a segment missing - the 500G like Michael's is 465.8 G) my laptops are "virtual" and the MBR is in the DVD drive on one and in a phantom USB drive- drive E:- no drive installed on either laptop but the icon is on both- I can even remove it with safely remove hardware - but it's there after each reboot. I know I am on a server, the registry proves it. I think I may be on more than one. I have active services for both Server and Workshop, as well as about 6 Remote services, several DCOM services, the Group Policy service - and I am a totally lackey in that organization. My function is to pay the internet bill, several P2P services, and a bunch of Windows Media services- extenders, networks, blah blah blah. I also have the same legacy hardware installed in my device manager but nowhere on my coiputer.. and it causes a boat load of crashes. Oh, and yes, the memory is totally involved but I haven't figured out how it plays in from what I've been told about how the memory functions. Oh, I finally figured out why the scans come out clean.. there are a ton of snap ins in the MMC.. "they" pull them in and out. In AVG, I can not scan my network files - the ones I'm not even supposed to have. So Vince, I've spent about 500.00 in the past 6 wks and gotten nowhere.. that does not include the cost of the hardware.. both laptops are still warrantied. If you've got any better ideas than PC safety or a local shop, please get in touch.. I have a lot of other particulars which might be helpful. However, I am basically typing this with the page and cursor jumping all around. It sucks.. it absolutely sucks.

Michael, I have the same thing on 2 Dell laptops. If you've found a solution, please let me know. If not, I have a lot of info I'd like to compare. Thanks.

Couple of things here. Your installed physical memory being lower than the actual physical memory is normal. Some PC manufacturers use that for on-board video and other devices so I wouldnt be as concerned about that as the OS issues. With regards to your OS issues, let me ask a question here. If you do a clean installation from DVD and never connect it to the internet cafe that you go to, does the problem reoccur? It sounds to me like what you have happening is a bot of some sort thats on the network of your internet cafe and once you join that network you get instantly owned by whomever has their software there. It might explain why your phones also act that way (which is odd to me), if they are being connected to that same cafe network.--Joseph [MSFT] http://blogs.technet.com/b/joscon/

Hey Joseph, Thanks for your response. I don't go to internet cafes, starbucks or anywhere else. When I use my laptop outside of my home, which is not often, I have a Verizon USB modem. Yet, I haven't used either laptop away from home since late June. None of that really matters, as my home network is totally screwed. Right after all of this started, I paid a professional to come reconfigure the network with a new Belkin ND 600 router. I am now locked out of that. The password has been changed from that with which it was set up. NO, a hard reset does not take it back to factory standards. I've tried countless times, please do not ask me something stupid like how long I held the reset button. Just take my word for it, the reset button does not reset anything. I set the Windows firewall to default with all incoming traffic blocked but within minutes it's changed.. there's a snap in that dictates the setting.. I didn't even know about snap ins until a couple of weeks ago... not about snapins, group policy or the MMC.. I've learned a lot.. just not enough to get this mess straight. Plus, no one with whom I've spoken feels any of this is legitimate... The guy who came to the house did, but that was in the beginning and he said it was just a faulty hard drive.. 2 new hard drives on each laptop later, I think it's safe to say it's not the hard drive... speaking of which this laptop should have a 500GB drive but it shows only 465.8GB. Regarding the clean install, there is no such thing. I just reinstalled the OS on the Win7 a few hours ago. My files came up exactly as they were before the installation. Out of curiousity, to see if it was booting from the CD drive as it was set to do, I disabled the hard drive in the BIOS and put the OS disk in the CD drive. When I started it up, I got an error that there were no bootable devices. Not only are my files intact after a reinstall, all of the server files (the server that I'm not supposed to be on) are intact, including the group policy settings I didn't create (and which limit me to basically read only while giving the "TrustedInstallers, SYSTEM and CREATOR OWNER" all of the admin rights (I am the only user of both laptops), the snap ins for scheduled tasks, the device manager and disk management. The registry is full of keys relating to servers - BDE UI server, ACC Radius Server, BYOT.BYoT.Server.ext, there are others but as I type this, the cursor is going everywhere. Actually, this is my 2nd attempt to reply. Initially, I was replying directly on the website but as I was typing, the page turned and my reply was gone. I'm using notepad now, hoping to be able to save the text long enough to copy and paste it on the internet. The device manager shows tons of hardware that is not on this laptop, including drivers for RDP.. I can't remember all of the letters right now, but it's the remote desktop protocol. My running services show a service for Server, Workstation, Remote Registry, the list goes on.. I have a problem, Joseph.. a big problem. One I've spent lots of time and money trying to correct.. and have gotten nowhere. If anything, it's worse than when it started in early July. From what I see looking at the files, there's some spamming, video game playing and music sharing going on through my laptops. As to the phones, I'm now at 3 trashed phones. The Verizon techs agree, they've never seen anything like it either. Last Friday, there was an addition made to my plan for data usage.. I didn't make it. I do not use the internet on my phone. At any rate, there is also a registry key for synced mobile devices.. no names of devices, just long strings of numbers.. If after reading this, you have any suggestions, or guidance I would be extremely grateful. Thanks, Missy

Missy; Again, some of these things are "normal", the trusted installer, remote registry, workstation and server services are all supposed to be there. The fact that you cant actually use the laptop is the real problem here. I would agree that I dont think that it's a hardware related problem but is a network related issue (although it still doesnt explain your cell phone problems). My advice would be to either open an actual support incident with our security group here at Microsoft or if you still want to continue down this road then I would rebuild one machine completely from media, not connect it to the internet in any way and then see what your results are. Next I would add the system to the internet via only the cable modem (not via the router) and again check the results. If both of those tests work properly, perhaps something is on the router that is causing the problem. I'm curious to know how you're determining most of these other things are occurring though. For example, how do you know there is gaming taking place on your machine? Do you have remote assistance turned on? If so, maybe try turning it off and check the results. All in all you've got a really odd issue that if a rebuild doesnt work its really hard to tell you what the next steps are without physically seeing the problem.--Joseph [MSFT] http://blogs.technet.com/b/joscon/

Hey Joseph, As soon as I sent the last post, I realized I'd forgotten to mention why I haven't gone to a wired connection... I am not able to install an 10/100 network controller. I just tried again a couple of hours ago. Using the Dell driver disk on either laptop, I am able to start the installer but then get an error message that the driver is not compatible with my computer. Again, it's on the disk that came with each of the respective laptops. That's been going on for about a month. Additionally, when I install any drivers off of the CD, I get additional programs. Yet, for the past 8 weeks, nothing is as it should be with my computers. For example, the wireless network controllers on the disk are the 1501 and the 1520 dell wireless network cards. Yet, when installing, I don't get either of those. I get the 1397 Dell wireless driver (not on the disk), as well as Cisco EAP, LEAP and PEAP.. I didn't know what they were before checking them out on the internet. I've also had Microsoft visual Basic C come in with files that were supposedly installed from the Dell disk. I do realize that some of the things I mentioned in my previous post are typical - ie the trusted installers and some of the services. However, within the current context, they're anything but normal. I've had the "trustedinstallers" block me from deleting one of my files. While I definitely DO NOT have remote access enabled (I've always been very careful about keeping that feature disabled), I do have 6 remote connection related services actively running, in addition to 2 P2P services. I am not able to stop them from running, the disable feature is grayed out. I am also not able to stop the Group Policy service, or the 4 DCOM services. Nor am I able to uninstall any of the MANY drivers for hardware I do not have from the device manager, I started to say from the computer but they're not on my computer... The device manager within both of my laptops shows my computers as an ACPI compliant system. There is also another computer shown with a driver called HAL.inf. There are NUMEROUS drivers for SM BUS hubs, tons of PnP drivers which show locations other than my computers, way more networking drivers than any one computer would ever need, including terredo tunneling and link to link mapping, there is a remote mirror driver, a RDPDD driver, PCI bridge, just all kinds of weird stuff. I've had one of these laptops for over 2 years and used it over 8 hours a day. I am very familiar with it. I know what is normal.. even if I didn't have all of the other weird stuff (quite a few emails from friends I've not received, a new account on ancestry.com I didn't set up, a Windows Mail account I didn't set up and do not have access to, unauthorized online changes made to my verizon account service plan), the current configuration is not the laptop I've used for 2 years. speaking of verizon, the phones were synced to the computers using the standard Windows sync program. Thereafter, programs were installed on them that could not be removed, the key settings were no longer standard (I have the original manuals to all of the phones which documents this) and on one, it was impossible to set the NAM.. the setting key is no longer for that function, it's just gone. With Verizon's guidance, I attempted to restore all three to factory settings. We went through the entire process and then couldn't reactivate the phones.. it just wouldn't go through. Additionally, the restore which should have wiped all of the info from the phones, removed nothing. Bottomline, they are all worthless now. They can't be connected without being programmed/ reactivate and that is not happening. I worked with 2 different Verizon reps. Both said they had never seen anything like it. Regarding my awareness of the type of activity taking place, I've copied and pasted the contents of a file stored on the laptop I'm currently using. The file is entitled UserConfig.xsd: <?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.cisco.com/CCX" targetNamespace="http://www.cisco.com/CCX" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="eapCredentials" type="EapCredentials" /> <xs:complexType name="EapCredentials"> <xs:sequence> <xs:element name="username" type="xs:string" minOccurs="0" /> <xs:element name="password" type="xs:string" minOccurs="0" /> <xs:element name="certificate" type="xs:hexBinary" minOccurs="0"> <xs:annotation> <xs:documentation> SHA-1 hash over the whole binary certificate in X509 format that uniquely identifies a certificate in the OS managed store. </xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> </xs:schema> Over the past month, I've looked at every file, every registry key on each of my laptops. There are all of these certificates (x509 and others) that are protected files. cimcontent.com is somehow related, it's referenced in a bunch of the files. There is obviously a relatively strong internet presence as every page I go to is a redirect, even my comcast home page. I have over 20 active x controls that are all run without permission, and we're not talking adobe flash or shockwave, these all relate to scripting.. there's even a plug in for a scripting dictionary I use Firefox and you can see the web address not just in the browser address bar but in the bottom left side of the page. The browser address will show one thing and the bottom left of the page shows another. Whoever this is has access to encrypted web pages because I've looked at my bank account online from here and although the page is encrypted, the page info and certificate on my bank's web page says that PNC Bank does not claim the site. I went to my sister's and checked it out on her computer where the certificate showed PNC as the owner of the site and supplied contact info. I have active "Saved Game" files.. I don't play games. Several of my friends have had their email accounts hacked recently and I'm pretty sure I was unintentionally the cause. As I type an email, my cursor goes up to the email address typed in the address window or if I'm reading a group forward, it bounces like crazy across the group of email addresses. Finally, not finally in actuality but finally as in I'm tired of typing with the cursor jumping all around, I know there is heavy activity on my internet connection as comcast keeps an account of how much you've used, I am at like 20GB this month.... WAY beyond my usual usage. Oh, and also, especially at night, the task manager will show my computer is being used at like 50% of it's capacity, and I'm just looking at the task manager, not running any programs. If I click show processes from all users, the list of running processes quadruples and shows multiple CPU IDs. Windows Media Center is a huge part of whatever is going on, as is Windows Sidebar. Oddly, WMP is set as the default program to open some text and executable files, as well. Ease of Access Center is also a player, along with the Easy File Transfer. As Micheal (the original poster in this thread said) the DRAM is involved too. A lot of the weird programs show installations in memory addresses. Joseph, Microsoft was the first place I called. I agreed to a 60.00 fee upon resolution and gave my credit card number. I think I still have an active case number but after several calls of being told a clean install will solve all and being treated like I was an absolute idiot, I gave up. Listen, it's not the money. Had there been a resolution, I would have gladly paid any amount asked. Yet, the only thing I was told was a clean install will fix all.. and I get that mentality. I thought that too... but it is not the case in this situation.. and no one seems to want to hear that, listen to that. I also have had numerous conversations with various reps from Dell.. they will keep installing HDD until the cows come home.. I bought the 3 year "anything" extended warranty on one of these laptops... they have definitely lost money on that deal. I called AVGs fee based service too. Locally, I've paid an IT guy several hundred dollars to come to my home, work on the network and reinstall the OS in one of the laptops.. posting on the internet is my LAST resort, not the first. I make my living selling on ebay. Typically, I make a very nice living. Now,I'm afraid to look at my PP account. My gross income for the past 8 weeks is down around 20,000. If I don't get this squared away soon, I won't have to worry about it. I won't be able to pay my comcast and verizon bills and will have to sell the laptops to buy a something to eat off the dollar menu at McDonald's. Again, any ideas, any guidance will be appreciated. Thanks so much for your time. Best, Missy

Missy, I am the one who started this thread. I just got my machine back up today after installing Win 7 Ultimate for about the 25th time. It appears as if when I loaded it on 2 separate partitions it confused the hackers malicious software. It gave me some time to lock down my system before the bad guys got to me. They are still out there. I installed some Network tracking software and I am seeing all sorts of strange service requests coming out of my machine. It appears as that as soon as a network connection is made the software is programmed to send out a call home packet. This gives the folks a heads up that I am back up and working and they can start to utilize my machine for whatever purpose they have. Your problem is exactly the same as my problem. I think I have uncovered what is happening (read the post after this one), but I really do not know how to clear it out of my system at this point. I have so much junk on my computer that I think it may be impossible to clean. I need for Microsoft to tell me how to get rid of WinPE, Active Domain and NT. Now I now some of these software components may be build within Win 7, but what has happened is clearly the work of some bad people that have caused my much pain and loss of income. I just found a program that gave me a decent report of my driver problem. It is long, but I think it is important for Microsoft to see. This is the crap that has been loaded on my machine and I can't remove these drivers. They are set up so that I either get an Access Denied error or should I delete them I get the Blue Screen at my next boot. The one thing that I was able to do and it has thus far seemed to help, is I noticed all my the Services I had running were set-up to tun in a shared process. I think this allowed multiple people to utilize the same services. I changed most of them to run in their Own process by issuing the following command line options "sc config 'service name' type= own". Now I was not able to change the key one which I have all long believed to be my problem - The Group Policy service. I am screwed if someone else has Super User Admin rights while I only have Local user admin rights. Once I installed Win 7 Ultimate I immediately saw the difference as this product has so many security options that it makes my head spin. PS - I am not able to send the files that show my Driver problems as I get an error message stating it is too big. I will send it under a separate post.

Microsoft AC Adapter 6.1.7600.16385 2006-06-21 Microsoft Signed, default Dell Touchpad 15.1.12.0 2010-09-03 Synaptics Signed ACPI Fixed Feature Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) Core(TM) i3 CPU U 380 @ 1.33GHz 6.1.7600.16385 2006-06-21 Microsoft Signed, default Programmable interrupt controller 6.1.7601.17514 2006-06-21 Microsoft Signed, default System timer 6.1.7601.17514 2006-06-21 Microsoft Signed, default High precision event timer 6.1.7601.17514 2006-06-21 Microsoft Signed, default Direct memory access controller 6.1.7601.17514 2006-06-21 Microsoft Signed, default Standard PS/2 Keyboard 6.1.7601.17514 2006-06-21 Microsoft Signed, default System speaker 6.1.7601.17514 2006-06-21 Microsoft Signed, default PCI bus 6.1.7601.17514 2006-06-21 Microsoft Signed, default System CMOS/real time clock 6.1.7601.17514 2006-06-21 Microsoft Signed, default System board 6.1.7601.17514 2006-06-21 Microsoft Signed, default Motherboard resources 6.1.7601.17514 2006-06-21 Microsoft Signed, default Numeric data processor 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft ACPI-Compliant Control Method Battery 6.1.7600.16385 2006-06-21 Microsoft Signed, default ACPI Power Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default ACPI Lid 6.1.7601.17514 2006-06-21 Microsoft Signed, default ACPI Sleep Button 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft Windows Management Interface for ACPI 6.1.7601.17514 2006-06-21 Microsoft Signed, default ST Micro Accelerometer 1.0.0.12 2010-08-18 ST Microelectronics Signed ACPI Thermal Zone 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft ACPI-Compliant System 6.1.7601.17514 2006-06-21 Microsoft Signed, default Bluetooth Device (Personal Area Network) 6.1.7600.16385 2006-06-21 Microsoft Signed, default Bluetooth Device (RFCOMM Protocol TDI) 6.1.7600.16385 2006-06-21 Microsoft Signed, default Generic PnP Monitor 6.1.7600.16385 2006-06-21 Microsoft Signed, default Generic PnP Monitor 6.1.7600.16385 2006-06-21 Microsoft Signed, default IDT High Definition Audio CODEC 6.10.0.6295 2010-08-05 IDT Signed Intel(R) Display Audio 6.12.0.3047 2010-02-03 Intel(R) Corporation Signed WDC WD5000BEKT-75KA9T0 ATA Device 6.1.7600.16385 2006-06-21 Microsoft Signed, default Realtek PCIe GBE Family Controller 7.23.623.2010 2010-06-23 Realtek Signed Intel(R) processor DRAM Controller - 0044 9.1.1.1022 2009-10-28 Intel Signed Intel(R) HD Graphics 8.15.10.2154 2010-06-21 Intel Corporation Signed Intel(R) 82801 PCI Bridge - 2448 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) HM57 Express Chipset LPC Interface Controller - 3B0B 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) 5 Series/3400 Series Chipset Family 2 port Serial ATA Storage Controller - 3B2D 9.1.1.1013 2009-06-04 Intel Signed Intel(R) 5 Series/3400 Series Chipset Family 4 port Serial ATA Storage Controller - 3B2E 9.1.1.1013 2009-06-04 Intel Signed Intel(R) 5 Series/3400 Series Chipset Family SMBus Controller - 3B30 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) Turbo Boost Technology Driver 1.2.0.1002 2010-02-26 Intel Signed Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller - 3B34 9.1.1.1020 2009-08-20 Intel Signed Intel(R) 5 Series/3400 Series Chipset Family USB Enhanced Host Controller - 3B3C 9.1.1.1020 2009-08-20 Intel Signed Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 1 - 3B42 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 2 - 3B44 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 3 - 3B46 6.1.7601.17514 2006-06-21 Microsoft Signed, default Intel(R) 5 Series/3400 Series Chipset Family PCI Express Root Port 5 - 3B4A 6.1.7601.17514 2006-06-21 Microsoft Signed, default High Definition Audio Controller 6.1.7601.17514 2010-11-19 Microsoft Signed, default Intel(R) Management Engine Interface 6.0.0.1179 2009-09-17 Intel Signed ATA Channel 0 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft ISATAP Adapter 6.1.7600.16385 2006-06-21 Microsoft Unsigned Teredo Tunneling Pseudo-Interface 6.1.7600.16385 2006-06-21 Microsoft Unsigned ACPI x64-based PC 6.1.7600.16385 2006-06-21 Microsoft Signed, default File as Volume Driver 6.1.7600.16385 2006-06-21 Microsoft Unsigned Composite Bus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft Composite Battery 6.1.7600.16385 2006-06-21 Microsoft Signed, default @%systemroot%\system32\drivers\afd.sys,-1000 Unsigned AVGIDSDriver Unsigned AVGIDSEH Unsigned AVGIDSFilter Unsigned AVG AVI Loader Driver Unsigned AVG Mini-Filter Resident Anti-Virus Shield Unsigned AVG Anti-Rootkit Driver Unsigned AVG TDI Driver Unsigned Beep Unsigned @%systemroot%\system32\browser.dll,-102 Unsigned CD/DVD File System Reader Unsigned @%SystemRoot%\system32\clfs.sys,-100 Unsigned CNG Unsigned LDDM Graphics Subsystem Unsigned @%SystemRoot%\system32\drivers\fvevol.sys,-100 Unsigned @%SystemRoot%\system32\drivers\http.sys,-1 Unsigned @%systemroot%\system32\drivers\hwpolicy.sys,-101 Unsigned KSecDD Unsigned KSecPkg Unsigned Link-Layer Topology Discovery Mapper I/O Driver Unsigned @%systemroot%\system32\drivers\luafv.sys,-100 Unsigned @%SystemRoot%\system32\drivers\mountmgr.sys,-100 Unsigned @%SystemRoot%\system32\FirewallAPI.dll,-23092 Unsigned @%systemroot%\system32\wkssvc.dll,-1002 Unsigned @%systemroot%\system32\wkssvc.dll,-1004 Unsigned @%systemroot%\system32\wkssvc.dll,-1006 Unsigned msisadrv Unsigned NativeWiFi Filter Unsigned @%SystemRoot%\system32\drivers\ndis.sys,-200 Unsigned NDIS Usermode I/O Protocol Unsigned @%SystemRoot%\system32\drivers\netbt.sys,-2 Unsigned @%SystemRoot%\system32\drivers\nsiproxy.sys,-2 Unsigned Null Unsigned Performance Counters for Windows Driver Unsigned PEAUTH Unsigned @%SystemRoot%\System32\drivers\pacer.sys,-101 Unsigned @%systemroot%\system32\DRIVERS\RDPCDD.sys,-100 Unsigned @%systemroot%\system32\drivers\RDPENCDD.sys,-101 Unsigned @%systemroot%\system32\drivers\RdpRefMp.sys,-101 Unsigned Link-Layer Topology Discovery Responder Unsigned Security Driver Unsigned Security Processor Loader Driver Unsigned @%systemroot%\system32\srvsvc.dll,-102 Unsigned @%systemroot%\system32\srvsvc.dll,-104 Unsigned srvnet Unsigned @%SystemRoot%\system32\vmstorfltres.dll,-1000 Unsigned @%SystemRoot%\system32\tcpipcfg.dll,-50003 Unsigned TCP/IP Registry Compatibility Unsigned @%SystemRoot%\system32\tcpipcfg.dll,-50004 Unsigned VgaSave Unsigned @%SystemRoot%\system32\drivers\volmgrx.sys,-100 Unsigned Storage volumes Unsigned Virtual WiFi Filter Driver Unsigned @%systemroot%\system32\rascfg.dll,-32012 Unsigned Kernel Mode Driver Frameworks service Unsigned WFP Lightweight Filter Unsigned WIMMount Unsigned User Mode Driver Frameworks Platform Driver Unsigned Microsoft System Management BIOS Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default Remote Desktop Device Redirector Bus 6.1.7600.16385 2006-06-21 Microsoft Signed, default Terminal Server Keyboard Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default Terminal Server Mouse Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default Plug and Play Software Device Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default UMBus Root Bus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft Virtual Drive Enumerator Driver 6.1.7601.17514 2006-06-21 Microsoft Signed, default Volume Manager 6.1.7601.17514 2006-06-21 Microsoft Signed, default Generic volume 6.1.7601.17514 2006-06-21 Microsoft Signed, default Generic volume 6.1.7601.17514 2006-06-21 Microsoft Signed, default Generic volume shadow copy 6.1.7600.16385 2006-06-21 Microsoft Unsigned Microsoft Streaming Service Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned Microsoft Streaming Clock Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned Microsoft Streaming Tee/Sink-to-Sink Converter 6.1.7600.16385 2006-06-21 Microsoft Unsigned Microsoft Streaming Quality Manager Proxy 6.1.7600.16385 2006-06-21 Microsoft Unsigned RAS Async Adapter 6.1.7601.17514 2006-06-21 Microsoft Signed, default Microsoft Trusted Audio Drivers 6.1.7600.16385 2009-07-13 Microsoft Signed, default UMBus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default UMBus Enumerator 6.1.7601.17514 2006-06-21 Microsoft Signed, default USB Root Hub 6.1.7601.17514 2006-06-21 Microsoft Signed, default USB Composite Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default Integrated Webcam 6.1.7601.17514 2006-06-21 Microsoft Signed, default USB Mass Storage Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default USB Mass Storage Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default Generic USB Hub 6.1.7601.17514 2006-06-21 Microsoft Signed, default TSSTcorp CDDVDW SE-S084C USB Device 6.1.7601.17514 2006-06-21 Microsoft Signed, default SanDisk Cruzer USB Device 6.1.7600.16385 2006-06-21 Microsoft Signed, default Removable Disk 6.1.7600.16385 2006-06-21 Microsoft Signed, default Microsoft Virtual WiFi Miniport Adapter 6.1.7600.16385 2006-06-21 Microsoft Unsigned

No. I do not connect my computer in anyway to the Network from the Internet cafe. I think I may have finally shed some light on this issue. Every time I got into a Computer Recovery mode I could drop down into that x: drive that has been so mysterious. Recently I noticed a Windows program running called WinPE. I did a little digging today and understand what that software is used for. BUT, I believe some people have learned how to take advantage of that software in ways that Microsoft never intended. First off let me say that my new laptop did not come with a OEM Recovery Partition. This was created by some people unbeknownst. Based on what I read today, it all makes perfect sense - WinPE can create a Partitioned Drive and once it is created and the intended software is installed, that drive can never be found - this at least according to a document I read on Microsoft's website today. So basically I can never get rid of this malicious WinPE software that is sitting on my hard drive. These people must be ex Microsoft programmers or are just very, very familiar with Microsoft's programming.. I guess what they do is find a hole in someone's Internet access. Lay down this software via BITS transfer. Then they create all sorts of shares that allow other folks to access the computers that have been exposed. The exposed computers then will become servers in a way. They have been controlling my computer by somehow putting me into their Active Domain cloud. This has actually been going on awhile - over a year. It wasn't until I really started to notice it and fight back that I came to the conclusion this was serious. As I would try to prevent them from gaining access, they would tighten down my capabilities via Group Policy rules. As an example, if I put in a firewall rule to prevent inbound and outbound traffic they would just disable my local firewall via their group policy. I did not even know this existed until I installed Win Ultimate - this was when I started to gain a little bit of an upper hand, While I finally just got on-line not more than an hour ago, I can see their work is still playing havoc with my computer. Every time I install the Virus protection protect from AVG, they come in and somehow disable it so it is worthless after about a day or two. I still have one big problem and it has been the same problem I have had since day 1 of this excursion for me. I can not stop or disable or do anything with the Group Policy Service. Everything is grayed out. When I go to to command prompt and issue an sc command I get an Access Denied message with this Service. Their are about 5 or 6 services running that I have the same problem with. I do not believe the Memory problem I have has anything to do with Memory leaking into the Video Memory. Take a look at 2 screen shots of my device manager and look at the installed devices. These were not like this before my problem started to occur. I believe these people are trying to use some of my memory to hold code or their own software for lighting fast access, I ran the debug program down at the command prompt and I found much reference to the fact they were using my machine as a testing ground for whatever is up their sleeves. When I first noticed this I could just uninstall the devices or disable them but now every time I do that I either need to re-install my OS again because I get the dreaded blue screen at my next boot or nothing occurs at all and that memory access is not mine anymore. It appears as if they are using 200meg of my RAM for their own purpose. I really think Microsoft should investigate this matter. They flew under my radar for a very long time. Once I discovered it has been an uphill battle to regain control of my Machine. While I have some control at the moment I do not know how long it will last with all that malicious still on my machine. I have mountains and mountains of information with regards to this matter, but I need to get some other work done. I have literally been offline because of this matter for over 4 months now. It has caused me great pain in ways that might be hard for people to understand. Take care and thanks for the response. On Sat, Sep 3, 2011 at 6:14 AM, <forumsup@microsoft.com> wrote:

Wow - I just read your entire thread. It brings back many ugly memories. You are where I was 6 to 8 months ago. My issue started out with ActiveX scripts running every day. They had the www.w3.org reference that you mention. It slowly moved away from Active-X issues to a much worse problem. What really caught my attention about your post was your mention of Media Center being a big part of this entire issue. You are 100% correct in what you say. What these people are doing is tracking every thing you do on your computer. They are saving this information in a variety of ways with the use of IE being one of the big ways. But they are also using all sorts of Syslink directories, Shared Drives, and UNC paths to hide the information they are tracking on you. They gather this information on a daily basis and send it up to their cloud via the Media Center Program. Apparently they are using the Transcoding capabilities as it shuts their purpose. I only know this by accident. Once night I saw a Network Share come into my computer. I was able to access that persons Network Share and what I received was this strange file coming into Media Center that was being transcoded. The file was initially very small but what I ended up seeing was every single web page I had visited over the past few days. All in a graphic format. Since I have been back up online just today, I have wiped my computer at least 8 times of all Privacy related files left behind. Each time it is in the 25 - 50 Meg range. It is simply unbelievable. They also were able to gain access to my Blackberry. I did not know that was the problem at the time, but I have all the emails of my complaints to RIM and my Carrier that someone was gaining access to my Device and had the capability to see everything I was doing, but even more scary - they were able to track my every whereabouts. It is scary for me as I live in a foreign country that is not quite as safe as the US. I notice on my Dell they had the capability to turn on my Webcam remotely. They could turn on the Audio and listen to what I say if they wanted to to. They have the Location service running which could be used to track the whereabouts of your computer. I also noticed they had the Microsoft Narrator program running at all times. I could not turn it off. Basically every time I typed a word the program would pronounce it. Now I never heard a thing, but I assume these people found a way or were looking for a way to send this information over the Network. It would be a good way for them to get Password and Bank PIN information that you type in to the computer. Up until today I have pretty much left my NIC card, USB Ports, Camera and Microphone off via the BIOS. But my problem was the Dell Vostro laptop did not come with a CD Drive so every time I needed to install the OS again I had to turn on the USB Ports which allowed these people to gain access to my machine via some sort of Bluetooth and wireless capability. This is the part that really has me the most stumped. Given the short range of BT I do not understand how they were able to do this. I think what I essentially had was two OS' running.One was mine and one was theirs. They could gain access to my machine anytime they wanted as they set up my computer as a server and they were the owners of that server with their own RAM which they still have along with their own Hard Disk space which they still have. The last thing I want to mention is I also had the same problem with my email where I could tell their was someone else in that email with me. There was a recent time when I discovered the Active Domain connection. I was doing some research on the Internet and came across a paper that gave huge insight into the problem. As I was trying to copy the paper into my email I was blocked by someone who threw up another web page that prevented me from doing what I needed to do. It was all very strange. In fact I complained to Google for a good month as I thought someone had moved me to their Google Apps product and my email was being hosted on a Domain other than Google. It even got so bad that I think these people where able to track me every time I logged into my email account. I later discovered about 50 Add-On Browser files that had been added to IE and every single one said they were Microsoft files but they was also a warning that the Microsoft Signature could not be verified. These were all very old Active-X type files, scripts, capabilities and programs (just as most my drivers currently loaded say they are from Microsoft from the year 2006 (that is ancient history in the computer world.) I obviously disabled those Add-On's. I never even imagined this was a Microsoft issue up until now. I was blaming Dell and Absolute (makers of the Lo-Jack BIOS security software). When this problem first occurred quite sometime ago I immediately bought a 2-year software maintenance contract from a Microsoft owned company. They were not very helpful. I even brought up this whole Group Policy issue with them numerous times but every time I called I had to spend an hour on the phone explaining everything all over again that it started to become a joke. I gave up on them. My only request of them was to help me disable the Group Policy Service. They said it could not be done in Win 7 Home Premium. Well I have yet to find a way to do it with Win 7 Ultimate. Anyway that is enough for now. I only hope Microsoft steps up here and takes some responsibility here. I think this problem is only going to get much worst. As just like you this stuff seemed to follow me wherever I went and I ended up infecting my fathers machine and a few friends.

Joesph, I need to bring up one last item that I just noticed. This should clearly (at least I hope) make Microsoft want to get involved with this matter. Look at the 2 device drivers called TSSTcorp and SanDisk Cruzer. These people have taken devices from other manufactures (SanDisk and Samsung with the TSSTcorp driver) and put Microsoft's name on them. They have given the device driver's software a date of 6-21-2006 and claimed that Microsoft is the Certification signer (ALL BOGUS). You will also notice some of the Intel stuff states it is Microsoft. Most of the Intel Drivers that have the correct dates and names were just loaded over the last few days on my machine. Given time these drivers will also convert to this 6.1.7600 Software version with the 6-21-2006 date. I believe this is occurring as all the Drivers from these people have been put into one big cabinet file which they unload every time I try to re-install the OS.

OK, so a couple more things here: 1. The WinPE partition at the front of an OEM installation is 100% normal. OEMs are allowed to configure those types of drives for their WinRE installations how they want to based on how they want to support recovery. 2. When you see drivers for devices that are branded as Intel or SanDisk but the signer is Microsoft, that is also fairly normal. We sign many third party drivers that we have tested with the vendors internally during an OS release. These are commonly the drivers you'll see on Windows Update. If you were to install the ISVs driver directly, that should have their signatures if that's what you're after.....again though, this isnt a problem. 3. Trusted Installer blocking you from deleting a file is 100% normal and expected behavior. That service is there to protect the operating system from exactly that type of behavior. Lastly, I know this wont be a popular stance but I am yet to see where this is a Microsoft problem. That's not to say there might not be an OS issue related here somewhere but I still dont have a good understanding of either of the actual problems here and they all seem to be related to your internet connections. If either of you wanted to test a clean installation that never goes online and describe your symptoms (if they occur) then I would be happy to assist in questions about how or what the OS should be doing vs. what you're seeing it do. Otherwise, your best bet is to open a support case with our security team. They have tools that they can run against your machine to tell you if you were a victim of hacking or not.--Joseph [MSFT] http://blogs.technet.com/b/joscon/

So Microsoft has released 9 unsigned Drivers in just one single user situation. There must be millions if not billions of these unsigned Drivers sitting on people's computers. Pretty damn careless for a multi billion dollar Corporation don't you think. I am sorry but opening a case with your security team will do no good. I will get the same response from them as I just got from you - didn't you listen to what Missy told you about her interaction with your team? Opening a case with the Justice Department would be much better. The hackers got me again last night. They tore AVG12 apart. They disassabled all the software I downloaded throughout the day yesterday, they took my local admin rights away and made me a user on my own damn machine that I own - all with Microsoft products that you even claim were signed by your Company or in nine cases not signed. I finally said F it and deleled every file on my computer that was not write protected. Of course the WinPe stuff from 2006 will still be their..Here is what I learned today. I need to stop winmgmt by issing a simple command line option. I learned how to disable Group Policy in the Registry setting. I will also be shutting DCOM down which Domain Controllers use to remoteley access and keep updated their Group Policy on the remote machines. Once DCOM is disabled I can disable COM+ Services. All of these above mentioned services were the only ones I had no control over. I have been advised to shut down port 135 via a netstat command as this is the port used to remotely access for Group Policy changes. I think there is also a netsh firewall command that can be issued to disable RemoteAdmin capability. I hope this clears my problem but since the very first day this occurred that Group Policy running has me pointing a finger at it. Why would a standalone Workstation need to have a Group Policy. I spent 2 freaking months wotking with a Microsoft owned technical support company and only got bewilderment gestures throughout. Almost exactly like your response today. I won't be contacting Microsoft with regards to this matter anymore. If I have any contact with them it will be in a different venue. Thanks for your help and support

You're putting words into my mouth. I said that drivers being signed by Microsoft isnt unusual. I did not say that Microsoft issues unsigned drivers (we don't). The reason I suggest opening an issue with our teams is because what you're communicating here as a hacking issue needs to be investigated. Hacking isnt really an OS issue per se, but we can help to find out what type of intrusion you've experienced and give you steps to remediate it. As I have repeatedly said here, if you re-format and reinstall your system and you still have the issue then its something living on your network that is causing the issue. There are steps you can take to alleviate some of those issues as well. I'm not sure who you're working with that is a Microsoft owned technical support company, but if they arent Microsoft Technical Support then they are likely a gold partner, which isnt the same thing. The reason you're getting bewildered responses from either myself or the other group you're working with is because I still honestly dont know what your problem is and most likely, neither do they. The issue seems to constantly jump from one thing to another and I am trying to get a handle on why certain things are acting in a specific way. Again, this is why I have asked about you reformatting and doing a clean installation and the results. You can remove the WinPE partition from your installation but I doubt you would be under support via your OEM so I will let them tell you how thats done. But overall I am just trying to help you out because the issue is obviously frustrating. If you no longer want assistance, that's your call but I am willing to keep working on ways to determine root cause. It's just a lot harder to do on a web forum.--Joseph [MSFT] http://blogs.technet.com/b/joscon/

Frankly I have not seen this level of "challenge" per say, though I have fixed many compromised systems, and I have not seen anything survive a complete partitioning of the hard drive and reformatting, then freshly load the OS. This level of compromise of your system is off to say the least. I would have to ask just what your loading software wise onto the system? On the surface, A legit Windows install with legit software packages should not be an issue, the only time I see things this bad is when people re-install shareware, or slightly used software off the internet that containts a rootkit and other nasty packages. Otherwise, with no internet, no connectivity, no bluetooth, there just is no way to get it onto your system, unless you have others getting access to your system and hitting malware laced websites, or they ninja in at night and upload this physically onto your system while your asleep or at work they are in your kitchen eating your cookies. There are Microsoft drivers for known products like Intel, Logitec, etc.. that are valid, just a default driver set for recognized hardware, even MS has a defualt driver for Nvidia for video (thought the full blown nvidia driver is the way to go) At this point from what you say, they have your pc, blackberry, wireless mouse, etc... you should be looking for the men in black at this point, or gremlins. :P Advice offered, If you need more help it is advised to seek the council and advice of paid professionals. The answer is always 42, or reboot.

Michael! I'm so sorry to be just responding to your post. My internet access was "restricted" for several days.First, I can not tell you how validating it was for me to read your initial post. For almost two months, all I've heard from anyone is "that can't be happening". Typically, I am an incredibly easy going, even tempered person. Yet, a couple of times, I have been close to Mt St Helen's on an eruption level. The entire situation is completely frustrating.. having to deal with the laptops, the tech people.. ugh. Anyway, we have much of the same hardware. I have SO many drivers in my device mgr. Whatever is going on is completely related to USB ports (that I don't have) and UPnP devices that aren't connect. Many of the drivers are listed as "running in a separate memory place". In addition to the weird Media Center angle (speaking of which, I've found files indicating my xFinity box is somehow related - I did some research and the xFinity controller will drive most any wired device), I'm pretty sure the icons play a part. They are all now enhanced. Fonts are involved, as well. I know that's a bit vague, but this is way out of my realm. Have you noticed lots of bogus file extensions? Looking in the registry of both laptops, there were so many. I don't want to take the time to check my notes right now, as I'm afraid I'll lose this post. I'm typing it on notepad and will copy and paste it when finished.. that way, I can keep saving it as I go along. I've learned my lesson having lost a couple of other lengthy missives I've written in regard to this situation. Yes! I have the "X: drive" too! It's not obvious in my computer but I see it when I do my basically daily reinstalls. I have the handicap programs set up, as well, the magnifying glass, and the speech thing. Do you have a folder called Panther? In one of your posts, you mentioned Windows Easy File Transfer is involved (DEFINITELY). Today, I was in the control panel of the Vista laptop and saw I had offline files (I didn't even know there was such a program).. I don't.. but someone does, and to the extent of 35GB. I was able to access the files. One was Me (my computer name), one was Network maps, and one was Computers. The folders were all empty but empty, they added up to 35GB. Do you have little arrows at the top of the menu bar on your file folders? If you click the little arrow, it goes somewhere else, possibly to a mirror file. I have a ton of empty folders to which I'm denied access, my assumption is they're for transfer purposes only. I do know my HDD on both laptops are "online".. they shouldn't be. Also, within "my computer", there's a recycle bin.. not strange.. but it's locked (strange) and there's another recycle bin inside it (more stange) and finally, my hard drive or a copy of my hard drive is inside it, as well (truly bizarre). The way things are set up, I basically am nothing but a port of information. I have access to my docs, photos and a few program files. I'm locked out of everything else. I can not do a hard reset on my month old router and the password has been changed. So, I'm locked out of that, as well. I have never been one to share files, anything but now I am sharing everything.. my phones, my laptops, everything. Changes were made to my Verizon account last week.. I didn't make them. I have apps on my phones I didn't put there. Just like the router, they will not reset to factory default settings. Just like the router, they start the reset process but don't go through the final power down to complete the process. Before I forget, the Windows Sync and Sidebar programs are heavily involved in the conjoining.. I refuse to call this a network. They are my computers and I didn't set this fiasco up. I also saw a file inicating that IAS was instrumental in the inital point of entry. I'm not sure what that is and haven't had time to check it out, yet. Michael, you mentioned the personal effect this situation has caused. I truly understand! For years, I've made a good living selling on ebay. For the past 2 months I've been afraid to open my PP account. You mentioned the video cam.. I have that, too. I also have micro phones in my sound devices I didn't install. Finally, in the device mgr, there are drivers for a PS2 mouse (neither of my laptops supports that interface), a PS2 keyboard and a PS2 monitor. It is gravely startling. Back to the reinstalls, immediately thereafter, all of the group policy files completely in place and off limits to me. Plus, the DVD drive makes lots of funny noises during the entire process. I am pretty sure whatever installation is going on, is being driven by the "big boss" computer. I know this sounds nuts but I've seen files indicating my MBR is in the DVD drive. Hey, do you have an icon for a jump drive- drive E:- that you don't really have? It drives me nuts. All of this drives me nuts. Have you looked in any of the DCOM files? In the reg keys, there's something called the threading model, threading something. Anyway, the value is "the apartment".. No lie. Oh and yes, my software and documents have been subverted. I made a note of the files in my AVG andn then downloaded it at my sister's just to check the file content. It was not the same. I have so much more to tell you but this is so disjointed already, I think I'll save it for later.. This is a really weird thing to say.. but thank you, Michael! Thank you for your post.. thank you for knowing what I'm talking about.. just THANK YOU! Missy PS- one more thing.. have you noticed the default IE home page after one of your reinstalls? Is it http://go.microsoft.com/fwlink/?LinkId=68748? Having recently had a total of 4 Dell factory refurbished HDD with a factory image of the OS, I noticed the default home page on each was Dell.com. So, I called Dell and asked if that was always the default IE homepage on one of their branded Windows OS disks.. Yes, it is.

Jason/ Joseph- Thanks to both of your for weighing in. I'd like to clarify my position, I don't really care about assigning blame. I don't see this as a Microsoft problem. I see this as Missy problem.. a BIG problem for Missy, and it seems Michael, as well. I just want some help. I don't care where it comes from. I think I can speak for Michael, as well. I would gladly open another case with Microsoft if I thought the responding tech would actually listen to me, consider what I have to say, the depth of the information I have. Yet, as my "scans" will come up clean.. they won't. My experience has been they will not listen and they will speak derisively. I am so not up for having to defend myself.. and so totally over having to repeat the same thing over and over to 37 people and then be told a clean install or a new HD will solve the problem. Back to scans, I'm pretty sure my WU update files are subverted. I also know they bring in other programs as they're installed. My laptop that runs Win7 showed it was installing update number something of update 51,937. Give me a break. Tonight, I downloaded an ATI video driver from Dell.com and Microsoft Visual Basic C++ 2005 came with it. Whatever is going on in my laptops, whomever is driving it, they aren't even discreet anymore. During the installation of the ATI software, I actually had the option of installing the ATI software and/ or the M VB C. There were selection boxes next to both. I couldn't actually make a choice. The choice had been made already and made permanently. The boxes were no longer active. They were checked with unremovable check marks. Finally, I forgot to mention this to Michael.. whatever this is, I'm pretty sure it's current model is the DENALI project server on Microsoft's website. I know nothing about it, had never heard of it before. However, today I saw several pages in my IE history.. no one uses my laptops but me. I'm wondering if the "Panther" file I have, which is relatively recent, is a take off on Denali. Really, I haven't been online much this week. So, little of the IE history was mine. My comcast modem and Belkin router both showed tons of activity all week long, especially late at night. I couldn't get online. Alternately, my Network Controller would be disabled (not the reenable kind of disabled but the FY kind of disabled) or the Network Troubleshooter would show no problems but an error msg saying either "restricted" or "access denied".. How much would that just piss you off? There are days when I feel like running my car over both laptops. Anyway, if you have any suggestions as to a specific department at Microsoft, even better, a specific person, I could call, I would be grateful. Isn't this situation what all those updates are coded for? Someone there has to realize this does happen. Yet, the thought of spending hours on hold to reach someone who can't even fathom something like this, who patronizes me and speaks to me like I'm either crazed or a moron, it's just not worth it. OR- if you could give me some guidance as to how far I need to go to completely clear this.. and I'm not talking about fixing my laptops. I'm talking about new laptops with Linux or a Macbook, new router, new phones.. Seriously, not being able to feel comfortable working on these laptops, not to mention not being able to count on reliable use is killing me financially. I need to fix this, fix it completely and fix it fast. I don't really have the money to spend right now, but I can't not spend it. If that's what needs to happen, if that's the route I need to take, I just want to be certain I do it completely. I don't want to not replace something that needs replacing, then find I'm in the same place, with the same problem and even less money. Then I would be epicly pissed. Thanks! Missy

Missy, After being controlled by this monster for sooooo long I think I have finally started to be an end to it. This is all related to the Microsoft Group Policy, Active Directory, DCOM and COM+. I started by turning off Group Policy and DCOM in the registry. I immediately saw a big difference. All the processing running by other people stopped. But this concerned me as I thought maybe some of those processes may be needed by the OS. So I made a big mistake and turned DCOM back on. This led me to another 5 days of frustration and another 10 new installs of the OS. This occurred because the hacker put in some type of program that crashed the OS if I turned Group Policy off. So at the moment I just have DCOM and COM+ turned off. At the moment the hacker can not control my Laptop, but he/she/them are still turning to gain access as I see them turning to enter when I monitor the Network. Within minutes of download a new firewall program they disassembled it. So while I am no longer under "The Man's" control, my computer is still infected with a lot of garbage. I also have the Group Policy running. I know how to turn it off, but now I am concerned about turning it off as I can not afford to have my laptop crash again. I also have all of the DCOM programs on my laptop. If somehow this person were able to gain access to my machine and them turn on DCOM, I would be right back were I started at. Virtually everything that you see occurring on your machine is or was on my machine also including the reference "The Apartment". It is funny in that I thought this to be funny and a little strange myself. I found that about 2 or 3 weeks ago. I had some log files that I saved and had hoped to present to Microsoft's upper management, but these people somehow wiped them off my hard drive. I don't know if they had set up a program to wipe their steps if the computer got out of their control or if they sent the computer instruction to do this. These log files contained information about my OS installs. There was also one large log file about all OS installs these people have done and there were thousands of records. It appeared as if this install may have been sent to Microsoft. I think these people may be some type of re-seller or authorized distributor for Microsoft. I do not know how Microsoft's dealer channel works so I will not comment on this too much, but it does appear as if Microsoft is also being duped which all along I had suspected, but when I brought it to Microsoft's attention awhile back I got "I doubt it" comment. I am a little concerned about giving you the exact instructions to turn off DCOM and COM as I don't want to be responsible should it not work or should you have some other problem. I will tell you it was done via Component Services under Administrative Tools. You need to go in as the Author. You need to change your capability to Author Mode once you get in. You need to open Component Services, open computer. You should have a "My Computer" icon. This is the magic. You need to right click "My Computer" go to properties and open. You should get a window with 6 tabs. This is very important. If you did any of the previous steps incorrectly you will only get 2 tabs this stumped me for a week or so) . You need the six tab window. Go to the default Properties tab and take the check-mark out of DCOM and COM. It is my understanding DCOM is designed to be run in a Wide Area Network environment which one would find with Group Policy enabled. I don't know so much about COM services but I wasn't taking any chances so I just turned it off. Once I did this "The Man" who controlled my machine was gone. Once I did this I immediately started to get many requests for remote assistance. I also started to get a few pop up windows (and continue to get them) stating that a particular program is not compatible with my OS and the recycle bin is corrupted. I started to get the recycle bin pop up a few weeks back. I am now afraid to click it to fix it. I am concerned it is malicious and may send a Remote Access approval back to "The Man". I feel as though I have gone to hell and back with this issue. Everyone thought I was crazy. I would bring my computer to repair shops and they would just say Microsoft always has these things running. I started to think I was going crazy myself myself. I have just validated they were all wrong and I was 100% accurate that my computer had been hijacked. This issue has cost me a lot of money, lost income and so much time and frustration that I can't even put words to it. I called Microsoft's special computer problem number after I resolved this issue. I told them what had occurred. They directed me to a website which is goes to Microsoft's Ethic's department. I will certainly let them know about this as I believe Microsoft needs to inform me as to how I get my computer OS back to how it was before these events occurred. My problem with Microsoft is I have a contract with them to provide Software virus assistance. I ask them in March to help me turn off Group Policy. They said it could not be done via Win 7 Home Premium. Looking back I wonder how it could be turned on if it couldn't be turned off. I am know using Win 7 Ultimate and I still have no way to turn it off without going into the registry which is not something I am willing to do after what I have just been through. Two good things came out of this but it still was not worth what I went through. One was these hackers increased the speed of my internet connection by 400%. The other was I got a free copy of Win 7 ultimate. It was a bootlegged copy to begin with but since my legit copy of Home Premium was not offering any solutions I decided to give Ultimate a try. Every time I put a new copy of the OS on my computer I would receive a new registration code within 24 hours. It is my believe this new code came from the hackers as their is no other way I could have gotten it. One last thing - be very wary of Windows Updates. I believe Windows Updates played a very important part in this mess. It is my understanding Active Directory customers can use Windows Update to send their computers they have under a Group Policy to a different website than the one the general public would be sent to. Obviously this is very concerning. At the moment my Windows Update is in some type of error status. I had suspected all along I was not receiving the correct updates for Windows. When I installed SP1 from it a disk I got many error messages later would get my computer back online. I want to somehow stay in touch with you to make sure your issue gets resolved and as confirmation this was a real BIG problem and I was not going crazy . I will check back in a few days. Good luck!!

Michael and Missy. I am a member of your club. It happened to me also...going on 3 years, multiple phones, computers, hard drives, modems etc. I think I am on the brink of losing the whacko. My questions to both of you are...did youngrow up in Loudoun County and attend high school in the 70's and or do you or have you lived in Oregon, Washington or the San Fran area? If you answer yes, would you please join me in prosecuting "her"? Thanks for your reply. Cat