need to learn how to fight back hackers

meows

Distinguished
Oct 16, 2009
11
0
18,510
On going for years.. Yes the system is bits and pieces put together for 20 some years now.
hard ware fairly new

what i want to understand is this I just ran process explorer and found a client server running under crss,, and terminal server. I have the terminal server disabled in the registry and services.
When I ran my kill anything program it closed the applications and caused a blue screen.

Now what I would like links to is how to read the memory addresses, stacks.
I got suspicious when ,my system slowed down and the hard drive would not stop and I found this in the temp dir,
[06/23/2015-19:58:37:966] INFO: **************** SetupUtility Started ****************
[06/23/2015-19:58:37:966] INFO: Command Line: SetupUtility.exe /screboot
[06/23/2015-19:58:37:966] INFO: **************** SetupUtility Ended

And I have not installed anything at all.
Strings in the stack:
0013DA3C 773AD976 -> LdrpResGetResourceDirectory Enter
0013DAFC 00176228 -> C:\Windows\system32\dwmapi.dll
SO how do you know what these mean? "" 0013DAFC 00176228 ""

Or this?
0013DD78 73B2A618 -> KERNEL32.dll
0013DEB8 0013E31C -> rolSet\C⿧眻睐ꚀƜ
0013DEE4 0013DF8C -> C:\Windows\system32\en-US\Dwm.ex⿧眻睐犠睃Ƭ
0013DFB4 006E0065 -> run in DOS mode.

What language is that? and where can I learn about it?

I am at wits end and so so tired of the BS I just added a registry lock to prevent access to the registry unless I approve it. but from this it looks like the lock is not doing the job,

I have tons of tools to track down and del the viruses and such but want to know the inner workings of the threads, memory access and stacks so Maybe I can put together something to stop this in the first place.

Oh for the information yes I run virus and firewall protection., Why I wonder as none of them can do the job any more. I do not open any email on my computer with graphics or attachments, I run 8 virtual drives to check out things before they reach my computers.

But it's time to learn some new stuff and appreciate any help in that direction anyone may have,
I have Visual studio 4, 2005, 2010, and MASM and other programming tools, But missed the boat for most but the simple things. I can make kick tail games and currently a high end software installer, but can't protect my own computer from attack any more/./

Many thanks for all advice other than using this computer as a door stop.
Christine
 
Solution
what you are seeing is likely SYSTEM access requests which are escalated without your knowledge or explicit permission.

they are required for your computer to function correctly so it would be inadvisable to change them.


the only issue here is that malicious programs can escalate their own permissions once in the system, by you clicking accept once.

if there is something in your system, the only way that this could be resolved is by using a out of system scan to even identify problems


knoppix, spybot boot scan, MBAM boot scan, etc etc. can identify most of this stuff and in some cases remove it

check you windows update history. that setuputility.exe is for .Net framework, and whenever that installs or updates it has a tendency to...

hilltopmonk

Distinguished
May 26, 2011
258
0
18,860
what you are seeing is likely SYSTEM access requests which are escalated without your knowledge or explicit permission.

they are required for your computer to function correctly so it would be inadvisable to change them.


the only issue here is that malicious programs can escalate their own permissions once in the system, by you clicking accept once.

if there is something in your system, the only way that this could be resolved is by using a out of system scan to even identify problems


knoppix, spybot boot scan, MBAM boot scan, etc etc. can identify most of this stuff and in some cases remove it

check you windows update history. that setuputility.exe is for .Net framework, and whenever that installs or updates it has a tendency to slow computers up a hell of a lot.

the hex numbers are memory addresses. they will change depending on the machine. there is no way of replicating them exactly on another machine.

http://mh-nexus.de/en/hxd/ programs like this can read them, but that's just machine code, not what it was written in, but the result.


those changes you were seeing could be legitimate uses from the system. without messing about with it there is no way to tell


the only thing i can say is to ensure you don't download from CNet, or SourceForge. sadly these once reputable sites have been taken over by new owners. Unscrupulous bastards who add malware and unwanted programs to their downloads.


Hope this helps in some way
 
Solution

meows

Distinguished
Oct 16, 2009
11
0
18,510
Bless you hilltopmonk !
After reading your suggestions I went looking and looking and onoe of my bots came back with http://www.anvir.com/ A very nice tool to add to my collection, it has saved me some grief as it has about 8 of my tools wrapped up in it and more..

Thanks again!