SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk
SRGriffin
Sus installation that propages to them. It looks like it installs an NT or
2000 headless boot (maybe XP embedded??) and gives me remote desktop that
looks exactly like XP, but has a lot of strange behavior (Looks like NT or
2000 is installed, all devices are legacy, network traffic is forwarded from
loopback to "host", don't seem too have full permissions, etc.)
I've been trying to figure this one out for months and keep thinking I'm
just paranoid. Not being an XP expert (silicon and systems design) it took
me awhile to find all the pieces I'm still sorting out.
I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
give me what's really on them or "read them". Downloaded packages are
"signed". but the time stamp is off by a year or more, and they contain
things they shouldn't.
The USB drivers I downloaded from ViaForum are filled with QFE fills for
instance.
Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
stuff into the BIOS DMI).
All virus scans and spyware come back negative, but have realized, at least
in some cases, it either kills the app I started (Norton 2005) and starts an
older version (Norton 2002) or else it scans a clean part of the disk only.
(There's some disk space I can't access and found some code that looked like
it would return a "sector error" w/o the key).
I know this sounds like the ultimate paranoid delusion, but I'm sure it's
there. Although to be fair, until December when this first started to become
obvious, my security inside the firewall was pretty terrible. Since I had
tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
-- it's possible someone or some program had a lot of time to set all this
stuff up. I also had 2003 server on the network, just to install (and
thought I had remove all the others from the network), and could have done
something then..although nothing intentional and certainly not too the extent
that I see (Like NT/2000 files).
My first question is: What's the cleanest way to remove SuS and get the
correct CAT files back and being referenced on XP Home? (SFC scan asks for a
2000 disk, which I obviously don't have).
Second question: While this may be just be, I've seen similar behavior on
friends computers (although they've all had some sort of contact with my
environment). Is there a quick way to detect SuS and some boot server
running?
Last Question: Anyone EVER heard of this? Is this a know issue I just
haven't been able to find anything about?
I'm happy to share bunches of data with anyone that wants it (or thinks I'm
just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
back up and fix them through group and local policy changes, but it would be
nice if there was an easier fix.
Regards,
SRGriffin
SRGriffin
On a compaq laptop I took apart to replace the DVD Drive, among other things
(Bought it new from Circuit City).
Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security 2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted directories
containing any .Cab files or other possible installation sources. Cleaned
registry with "fix-it" default, safe settings.
Connected to direct internet connection to get updates and then
disconnected....
One of the updates automatically downloaded...Virtual PC Update!??
Hidden devices in control panel include: ACPI-Complient Embedded Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload, EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some might
be XP standard ???
SQL Server and ISS appear to be install, but can't update them. IE 4.0 gets
installed and IEAK.
All computers have registry settings for:
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ\0818\06040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: 00000000
Type: REG_BINARY
Data: <<Nearly 10kb in data follow>>
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: Identifier
Type: REG_SZ
Data: FUJITSU MHR2030AT
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: .Raw
Type: REG_RESOURCE_LIST
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTable.ComServersTable.1\CLSID
Data: {7B3125F4-F14D-11D1-BE0C-000000000000}
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum\0
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enum\0
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\EncryptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer Server
HLM\System\CurrentControlSet\Services\P3\Enum\INITSTARTFAILED ---> 1 <<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Group\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess\Epoch\ <<<No Sharing
Enabled>>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ --->xpsp2res.dll,-22019
HLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Parameters\PnpInterface\1 --> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Well Known
Guids\AppleTalk \IsoTp \McsXns
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\image ==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\parameters\SerivceDll -->
wuauserv.dll
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1\
HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
...\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
....\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages --> msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType ---> WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750db0100\e
<<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&30a96598&0&Signature24DA24D9Offset7E00Length6FC7C0200\Control
HLM\SOFTWARE\ATI Technologies\CDS\System\0
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir
HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012005041820050419
Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
Drive 0 (ATA) - Validated
From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
Cylinders = 3648 Tracks = 255 Sectors/track = 63
From controller: 27.944 GB Total sectors = 58605120
Cylinders = 16383 Tracks = 16 Sectors/track = 63
HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n: NJ36T2915YRW
Supports drive > 137 GB
Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
Host protected area supported & enabled w/48-bit addr. (none used)
Drive & --Starting-- ---Ending--- -------Sectors------- ---Size
in GB-- Clust
Partition ID Sec Hd Cyl Sec Hd Cyl First Total Total
Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057 27.944
FSv3.1 4K
0-1 00 0 0 0 0 0 0 0 0 0
- -
0-2 00 0 0 0 0 0 0 0 0 0
- -
0-3 00 0 0 0 0 0 0 0 0 0
- -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
3) Media descriptor byte (never below F0h) F8
4) Sectors per track (should match the disk) 63
5) Tracks per cylinder (should match the disk) 255
6) Total sectors from the partition entry 58605057
7) Total sectors from boot (should match partition) 58605056
8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
9) File system ID "NTFS "
10) Start of the MFT 804864
11) Start of the MFT copy 2098486
12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
13) Clusters per index record (power of 2 or F4h for 4K) 01h
14) Volume label ""
==========================END OF PARTITION MGR==========================
Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?
andy smart
SRGriffin
notice the first reg. entry is indeed BIOS settings...either writing to cmos
or emulating a BIOS and the video card has a strange BIOS), but don't have
comfidence in booting off a CD. Depending on how the server works out, I'll
probably convert the disk to fat32 so I can get to it more easily.
SRGriffin
I was able to get the afore mentioned Laptop connected to the Server and
verified exactly what I had suspected.
The laptop had win2000 installed on it.....AND the server was "infected"
too, but since it couldn't "trump" the domain rights it was relatively easy
to update security policies and fix.
So, on the "clean laptop install" and the "clean Sever 2003" install I had
win2000 installed also. I guess the real problem....posix was also
"installed". So POSSIBLY the server machine was just "infected" before.
But...this leads me to a bigger question...
How can this be confirmed w/o a Server handy and how many other people have
this same problem?? Seems like this could explain A LOT of things going on
lately....Internet Storm, Strange Permissions and such I see posted all over.
Oh, by the way...since Win2000 was in control, the other boot was still
WinXP SP1 even though I installed SP2 with a MS CD! Sure looked like it was
installed...but apparently it was uninstalled!
Very Disturbing....I'm guessing I know of of few others with this problem as
well.
Mercury
on WinPE or Bart PE to get read only access.
From your description, there appears only one way out - retrieve data files
only, fdisk, and rebuild all the systems. I won't say it sounds like a root
kit 'cos I have never come across one (there is rootkitrevealer) so don't
know, but this sounds so sick fdisk is surely the only way forwards -
keeping infected systems powered off and off the network (IE all systems ).
"SRGriffin" <SRGr...@discussions.microsoft.com> wrote in message
news:9D79577F-54A0-4CE8...@microsoft.com...
markholmes
SRGriffin wrote:
> *Here are a few more details:
>
> HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
> HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
--
markholmes
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1024236.html
markholmes
I Have tried for months and spent over $5000 on pc equipment. This
MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.
I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THE
FIRST BOOTUP...I SWEAR. THIS IS AN AMAZING VIRUS.
ANY HELP?
MY SYMPTOMS ARE THE SAME AS YOURS. I'LL POST MY HIJACKTHIS FILE...BUT
IT DOESNT REVEAL ANYTHING. I'M ON A WINDOWS MEDIA COMPUTER...I'VE
RELOADED THE SOFTWARE, REFORMATED...100's OF TIMES OVER THE PAST 6
MONTHS. IT CONTROLS EVERYTHING. CD...FLOPPY...DOS...COMMAND LINE. IT
WILL RUN AN HIDDEN UNINSTALLER RITE NEXT TO YOUR APPLICATION THAT
THREATENS IT. ANTIVIRUS...FIREWALLS...A JOKE!
THIS VIRUS IS EVEN ON MY DADS MACINTOSH. IT HAS DIFFERENT
SYMPTOMS...BUT HE HAS HAD PROFESSIONALS TRY TO FIX IT...WE HAVE BOTTH
SENT OUR COMPUTER IN TO THE PRO'S. THEY CAN'T FIX IT EITHER...THEY SEE
A COMPLETELY DIFFERENT REGISTRY. HOW DO YOU FIX THAT? BUY A NEW
COMPUTER? THE FILES / REGISTRY / COMPUTER YOU BOUGHT ARE NEVER GOING
TO BE THERE....I'M GLAD YOU FIXED YOURS.
I HAVE THOUGHT MINE WAS FIXED. I HAVE DOWNLOADED EVERY TROJAN / VIRUS
PROGRAM KNOWN...YES THEY CLAIM TO FIX THE MANY INFECTIONS ----------
BUT DAYS...WEEKS...THE COMPUTERS GONE!
YOU CAN READ IN THE REGISTRY HOW POWERFUL THIS VIRUS IS...IT HAS
COMPLETE CONTROL OF EVERYTHING. I EVEN THINK IT RUINED MY SONY CLIE
AND HAD CONTROL OF MY HP PRINTER...ANY INFRARED / BLUETOOTH, ETC. IT
ATTACKS.
MY DAD CANNOT STOP HIS MAC FROM BEING A SERVER. ITS A MESS...WE CANT
TERMINATE IT FROM USING ITS AIRPORT SERVICE...AND I'M SURE IT IS A PATH
TO INFECT / REINFECT.
I'M ILL.
PLEASE HELP.
I'VE SEEN OTHER PEOPLE CALL THIS THE TERMINAL SERVICE TROJAN.
IF THIS IS THE BIGGEST THREAT IN PC SECURITY...WHY ISN'T MICROSOFT...OR
THE ANTIVIRUS COMPANIES ALL OVER THIS?
I KNOW THAT NOT TOO MANY PEOPLE ARE INFECTED...BECAUSE IT LITERALLY
RUINES LIVES...I'VE READ A FEW POSTS THAT MAKE MINE SEEM SANE.
ALSO ... AMONG A MILLION THINGS OBVIOUS IN THE REGISTRY (BUT ONLY IN
THE REGISTRY!) PEOPLE MENTION THINGS LIKE WATCHDOG AND TIM BOMB ---
LOTS OF LEGACY STUFF... MOST EVERYTHING IN THE %SYSTEMROOT%...OR SOME
DRIVE LIKE .... HERES ONE FOR A CD....
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{1186654d-47b8-48b9-beb9-7df113ae3c67}\##?#IDE#CdRomHL-DT-ST_CD-RW_GCE-8527B________________1.01____#5&3aadb0d2&0&0.0.0#{1186654d-47b8-48b9-beb9-7df113ae3c67}
ANYWAY...ALL HELP IS APPRECIATED!
Logfile of HijackThis v1.99.1
Scan saved at 2:32:43 AM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\SSuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://wwww.yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD
& DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
- http://tinyurl.com/gxu22
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
- http://tinyurl.com/jzkj6
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA,
Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
]-Originally posted by SRGriffin -
*Here are a few more details:
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://tinyurl.com/e8zax
HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
....\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
.....\filter..\FSFilter {cluster,compression,replication, top....}
==========================END OF PARTITION
MGR==========================
"SRGriffin" wrote:
David H. Lipman
| I Have tried for months and spent over $5000 on pc equipment. This
| MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.
|
| I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THEFIRST BOOTUP...I
| SWEAR. THIS IS AN AMAZING VIRUS.
< snip >
This is bullsh!t and FUD !
There are NO viruses that can infect and live in a BIOS.
You are obviously re-infecting your computer.
You are also going to piss off people by posting in all caps. It shows laziness and in
Usenet space it is considered shouting. Not to mention all caps is more difficult to read.
Add to that your posting a HJT log. HJT logs are more than discouraged in Usenet News
Groups simply put -- don't post them in News Groups. There are Expert forums SPECIFICALLY
for HJT logs.
Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
Finally, Trojans are not viruses. They do not slef replicate.
I don't know if you are a Troll or what but, this post certainly comes off as a Troll-like
post !
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Panda_man
This is all wrong and it is not possible to happen , you are just doing
something wrong.
As soon as you reinstall Windows and format the existing hard drive , your
old data is gone
You must use only genuie and legal Microsoft products because only they
guarantee you
100% success with no problems . Install legal drivers only ! Install
reputable AV software as soon as you install Windows.
Update the AV . Use internet firewall . Download and apply all updates for
your Windows operating system.
Don't install stupid files/softwares that can pottentially be threat.
In your HJT log I see some things that are currently unknown for me but I
have no time to search in Google for them
you can do this to receive more info.
And again , what you say is absolutely wrong and impossible to happen !
Regards!
Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
http://www.eset.com
Please , rate posts
vikki...@gmail.com
I have spent the last 5 months going through every registry key to figure out how
*whoever* was pulling this off. What is being done is that there are really no actual OS to you hard drive anymore..they are more of just image files to give it the illusion of your OS...they partition the drive and turn it into a VM server to either host a porn site...or a gaming site. Doing more research I happened to come across a chunk of the hack online
http://www.gameru.net/forum/index.php?act=attach&type=post&id=2929
Also it is very real to have your BIOS infected and this worm does just that.
To get rid of this I did an 8 pass of DBAN. On a clean machine I downloaded an updated version of my BIOS and put it on a usb drive along with combofix..rkiller and maleware bytes. Before reinstalling my OS I made sure to unplug modem/router and then reinstalled, flashed my BIOS and then did another sweep of DBAN..formatted and finally I think I have got it cleaned out.
I am sure there are many people hit with this if 7 years later it is still happening.
But if you are not aware of what should and should not be going on in your PC you would not even notice.
Hope this helps anyone who stumbles upon this post.
David H. Lipman
Corrupting the BIOS has a greater propensity.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
~BD~
You might like to read the thread here ....
Message-ID: <uok659d8gpj0tot6l...@4ax.com>
http://al.howardknight.net/msgid.cgi?STYPE=msgid&A=0&MSGI=%3Cuok659d8gpj0tot6lp68587dmpdf3d4ojf%404ax.com%3E
One answer there says:-
==
Well that sounds insane, but here you go, a theory.
He mentions SUS and a Windows 2003 server on the network. You can't
install SUS on Windows XP home, so maybe he *is* booting to a Remote
Desktop showing the Windows 2003 server on which SUS is installed.
Sounds Citrix like. Could be something like this
http://www.2x.com/products/
There's even a free limited user version, and the clients are free I
think. Get a bit of old hardware and turn it into a thin client for
FREE!!!!!!!!!!!!!!!!!!!
==
I might try that if it rains tomorrow!
Thanks for posting, btw.
--
Dave
Vickie McKnight
Still fighting it...I know it is crazy....! What do you think about some kind of hook being there and the *whatever* keeping access through dcom config? I just nuked my hard drive with 7 passes and reinstalled again I had the idea to change the settings using DCOMCNFG got to a point were I was going to set permissions under launch and activation to all the groups and I got shut out I can not change anything or access gpuedit or WMI...very infuriating whatever this is but I am not giving up. Would you like to play a game? Any ideas? Besides bleaching registry keys and changing values I do not know what to do. I have 3 comps that are like this that got infected from the network this last April / May I do not know all the aspects of dcom but I do know wmi or wmic but I am pretty sure this is their way in...but how can whatever they hit me with survive a 7 pass nuke that took almost 30 hours...ugh! Bout to just take it out back and beat it with a baseball bat. Before I nuked this time they had partioned the drive 4 times and pretty sure they are over seas...Korea? So any ideas...thoughts. If you know any dcom syntax I can hit it that way in Dos..not finding a lot of dcom syntax on the web.
Thanks!
Vickie McKnight
http://www.gameru.net/forum/index.php?act=attach&type=post&id=2929
~BD~
[....]
> I came across this awhile back but I still can not figure out how it survives the sh*t I put it through
>
> http://www.gameru.net/forum/index.php?act=attach&type=post&id=2929
Dave
bren...@gmail.com
Since March 12th, 2011 someone severely hacked my home network and even took control of my IP security cams when Microsoft released their Critical patch with port 3389 RDP.
I have spent over 1000 hours trying to solve my hacked network and this is what I have found.
Once the malware is on a computer at home it doesn't matter if I do a 50 hour low level format on the drive, as when I load Windows XP from a CD the malware comes from either the ACPI or NVRAM and customizes the install of Windows. Once Windows is finished installing, a Schema has added my workstation to an invisible domain allowing kerbose authentication. It then strips down my admin account so I no longer have full access to the folders on c drive or the registry.
Server operators are added to Universal plug and play service as well as the Smartcard service. Network Configuration Operators are added to the DHCP service as well as the DNS client service. Authenticated users are added to all other services.
They spoof my DNS right away and when I go to Microsoft updates it is not Microsoft. They load me with tons of other malware.
They use WMI, VBS, .Net, Windows shell, WBEM and other scripting tools to alter things and they already stole my credit cards early May 2012.
If I shut my computers off for a few days I get strange calls from foreign people asking for the wrong people that do not live here.
If I try and load windows 7, the ACPI malware jumps into the 100mb boot drive that Windows 7 creates during the install and then my Windows is taken over.
They bond asynchronous RAS adapter to my local network card or use 6to4, teredo or another way thru VPN like Terminal Services, Imapi or Windows Messaging.
I have gone to three different ISP's, tried over 25 different routers which they can bind a static route or use Radius enterprise even though that is not enabled on my router. I have bought new laptops and new switches and tried all new equipment and still get attacked.
I sometimes watch movies off an external USB hard drive connected to my television.
Is it possible they use air waves, or radio signals to install their Trojans?
I will get attacked on a brand new install of Windows with the wireless switch turned off and no network card installed and no Ethernet cable plugged in. I also get attacked with a brand new laptop before it is on the network, which has to be through my iPhone Bluetooth or infrared even though my iPhone's Bluetooth is off.
I use an iPhone and I have noticed an Intel generic iPhone.dll file and a 3G.dll file in Windows\System32.
I think the hacker uses some type of Bluetooth or Infrared hack that can link into my iPhone and somehow use my iPhone to manipulate my laptop.
I hand also noticed a microphone enhanced DLL file which I think they use to listen into my iPhone with. They install a lot more Video camera software which I also think they use to control my iPhone's video camera to capture video or pictures with.
When I go into my diagnostic log files on my iPhone, it shows: <key>ADActivatedAppInfo</key>
When I search the message up on the Internet it talks about having people's iPhone's hacked.
My iPhone is hacked, my IP wireless java-based cameras are hacked, my computers, any routers and my PS3. Everything is hacked at either the firmware level or the bios level.
Even doing a hardware reset to the factory reset on any of them doesn't get rid of the hacker.
The hacker is at a lower level than the factory reset on the hardware.
The Shaw PVR television digital cable box is hacked. If I go to tape a three part series and ensure they are all set to record at the right time, later I will go to watch the series and I am missing one of them. Some of my recordings will mysteriously not record a program.
In my laptop, even with no Internet connection, things slowly change. I go from logging into a local Windows XP to logging into a Active Domain server, using Terminal Services remotely. At this point, the hacker can do anything to my computer, like strip my local administer permissions away.
If I load Windows XP for the first time in a freshly formatted hard drive and then install Norton 360, Norton 360's firewall program disabled Windows Xp's firewall and then it allows several firewall rules that allow a hacker in, and these rules are grey out so you are unable to change those custom firewall rules.
The more sophisticated router I buy, the more the hacker can hack.
I have gone to Memory Express and had the computer technician set a very high encrypted Administrator password and Wireless Key before bringing it home. I install the router at home and minutes later the hacker will install a VPN bridge, allowing the hacker to bind a virtual network card to my physical network card to gain access through my router.
In Windows Services the hacker will bind my TCP/IP protocol to Ipx and AppleTalk.
They bind my physical network card in the registry to 2 virtual cards. One is a WANARP card and the other is NDIS.
The hacker uses NetMeeting, and Whiteboard and conf.exe to gain control of my laptop.
Under user accounts when you right-click on My Computer and select Manage, the Help and Support Account, which is disabled gets secretly enabled as the Event Viewer will show events regarding this.
They use DcomCfg.exe, WMI, Powershell, RctBuddy, and other tools to manipulate Windows.
If I try and install a fresh copy of Windows, and quickly go onto Windows Updates, My complete is DNS spoofed. (Man-in-the-middle-attack). All the Microsoft Critical updates are not Windows updates, but more hacker code to install on my system.
Even if I plug into the net, and boot up with a Linux Bit Defender Anti-Virus CD or a Kaspersky Rescue CD and go online this way to download a bunch of Drivers for my computer, they are the drivers, but they are customized by the hacker allowing settings for the hacker. Like the video card or the network card installs.
Through Linux, DOS, Bart PE, Windows XP, or Windows 7 the hacker spoofs my DNS and poisons my ARP cache.
I have been using computers since 1982 and the level of hacker sophistication makes my expertise seem like a novice.
I honesty think that this person is out to continue to upset me, stress me out continuously over the past 2 years and keep poking my buttons and I honestly think they want to kill me this way as I won't give up.
I know this is at the Bios level, as every Bios was remotely flashed and then password protecting leaving 4 of my laptops no good.
The last laptop I had, I extracted the DOS files out of the executable and plugged a USB floppy in and booted with a CD boot disk. After flashing the bios, I can no longer enter the bios when it says press F2. The hacker has my bios and I am sure all their code is stored in the NVRAM or ACPI. They are using Bluetooth and Infrared and turning on the wireless network card been though the switch is off to add my iPhone to an Active Directory.
I agree that this Windows XP install I have is not from the CD. The registry is from a virtual machine and gayer I install windows they eventually turn my XP login to a terminal Server login.
I have been in computers since 1982 and I am a computer expert! This type of SUS attack makes my skill set feel like I just started computers.
I have tried everything to wipe the hard disk but because the hacker hides his code in the tainted bios, you are done!
I been picked up a new laptop from Best Buy 5 days in a row and even without plugging into the network, they get my bios and then my hard drive so I return the laptop and get a new one and try something else and they get me again.
I gave not been able to load windows in my home in over 2 years!!! My wife does not like the 1000 hours I have invested in trying to solve this either!!
~BD~
-
Hot-Text
Get a new Wireless Router
for malware in the old one
And reinstall the XP
on your pc with the internet plug-in
Shadow
wrote:
>> Even if I plug into the net, and boot up with a Linux Bit Defender Anti-Virus CD
>> or a Kaspersky Rescue CD and go online this way to download a bunch of
>>Drivers for my computer, they are the drivers, but they are customized by the
>>hacker allowing settings for the hacker. Like the video card or the network
>>card installs.
need drivers for ?
Bloody fool to go online with a compromised router.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
~BD~
> On Sat, 08 Feb 2014 22:59:24 +0000, ~BD~ <~BD~@nomail.afraid.org>
> wrote:
>
>>> Even if I plug into the net, and boot up with a Linux Bit Defender Anti-Virus CD
>>> or a Kaspersky Rescue CD and go online this way to download a bunch of
>>> Drivers for my computer, they are the drivers, but they are customized by the
>>> hacker allowing settings for the hacker. Like the video card or the network
>>> card installs.
>
> Drivers ? Both can be used from the command line. WTF does he
> need drivers for ?
> Bloody fool to go online with a compromised router.
> []'s
router *had* been compromised.
Serious question!
-
FrozenNorth
That is the problem with the way things work, and there is no easy fix.
--
Froz...
The system will be down for 10 days for preventive maintenance.
Hot-Text
<S...@dow.br>
wrote in message
news:gjsff9tmfkp35rv8qk2u11hva3ncn09dtt
@4ax.com...
> wrote:
>>> Even if I plug into the net, and boot up with a Linux Bit Defender Anti-Virus CD
>>> or a Kaspersky Rescue CD and go online this way to download a bunch of
>>>Drivers for my computer, they are the drivers, but they are customized by the
>>>hacker allowing settings for the hacker. Like the video card or the network
>>>card installs.
>
> Drivers ? Both can be used from the command line. WTF does he
> need drivers for ?
> Bloody fool to go online with a compromised router.
He need to get a new one
And not the some kennel
For the New Router
Need to be Password
Made at the Store
To be safe
Then maybe you can
Save that XP Computer
With Kaspersky Rescue
~BD~
> On 2/11/2014 6:16 PM, ~BD~ wrote:
>> Shadow wrote:
>>> On Sat, 08 Feb 2014 22:59:24 +0000, ~BD~ <~BD~@nomail.afraid.org>
>>> wrote:
>>>
>>> Drivers ? Both can be used from the command line. WTF does he
>>> need drivers for ?
>>> Bloody fool to go online with a compromised router.
>>> []'s
>>
>> Please explain HOW an 'ordinary user' would have any clue that their
>> router *had* been compromised.
>>
>> Serious question!
>>
> The 'ordinary user' would have no clue, for the most part.
> That is the problem with the way things work, and there is no easy fix.
Are you able to comment on how a router itself may be compromised? Such
an event would, of course, effect any computer whether it is running
Linux, OS X, Windows or any other operating system.
What would make YOU suspicious of a router if your computer was still
'working'?
-
~BD~
> On 2/11/2014 6:16 PM, ~BD~ wrote:
>> Shadow wrote:
>>> On Sat, 08 Feb 2014 22:59:24 +0000, ~BD~ <~BD~@nomail.afraid.org>
>>> wrote:
>>>
>>> Drivers ? Both can be used from the command line. WTF does he
>>> need drivers for ?
>>> Bloody fool to go online with a compromised router.
>>> []'s
>>
>> Please explain HOW an 'ordinary user' would have any clue that their
>> router *had* been compromised.
>>
>> Serious question!
>>
> The 'ordinary user' would have no clue, for the most part.
> That is the problem with the way things work, and there is no easy fix.
http://netsecurity.about.com/od/vulnerabilityscanners/a/How-To-Test-Your-Firewall.htm
A further question I'd like to ask. If one's router has /already/ been
compromised and one tries to proceed to the 'Shields Up' site
https://www.grc.com/intro.htm is it feasible that one may be directed
to a spoof site - which might advise that one's equipment is fully
stealthed but which, in truth, is a complete lie?
Here's a Shields UP result taken just a few minutes ago:-
http://i60.tinypic.com/5zflz4.jpg
I used Google Chrome with the ZenMate extension.
What follows is another Shields UP result, this time using Safari and my
bone fide IP address: http://i59.tinypic.com/2pqt5pd.jpg
I rather hope that the Pass result is the *correct* conclusion - but BD
has no way of being certain about this!!! ;-)
-
Shadow
wrote:
I apologize
Shadow
wrote:
>Here's a Shields UP result taken just a few minutes ago:-
>
>http://i60.tinypic.com/5zflz4.jpg
>
>I used Google Chrome with the ZenMate extension.
outside access. It's not even faking it .... OMG
Is that really yours ? You lopped off half the report.
~BD~
> On Wed, 12 Feb 2014 12:58:19 +0000, ~BD~ <~BD~@nomail.afraid.org>
> wrote:
>
>> Here's a Shields UP result taken just a few minutes ago:-
>>
>> http://i60.tinypic.com/5zflz4.jpg
>>
>> I used Google Chrome with the ZenMate extension.
>
> Compromized. You have an encrypted port completely open to
> outside access. It's not even faking it .... OMG
> Is that really yours ? You lopped off half the report.
> []'s
What part of the report would you like to see?
-
Shadow
wrote:
That includes any remote-access software. But then, I'm just a home
user, do not have a central server and have no reason for running said
software.
>What part of the report would you like to see?
one, and if not, who the net range belongs to.
But you do realize that (if IPs are the same) you are
announcing to any port-scanner that you are not only online, but also
(probably) what software you are using ? And that you are accepting
incoming calls from anyone ?
But just the mention of "Google Chrome" and I realized that
security is not one of your goals.
Is that scan from a regular PC or from a Chromebook ? Your
router and your PC should be dropping the scans to those ports marked
as "closed". Blue is not good. Should be all green.
~BD~
> On Wed, 12 Feb 2014 18:44:17 +0000, ~BD~ <~BD~@nomail.afraid.org>
> wrote:
>
>> Shadow wrote:
>>> On Wed, 12 Feb 2014 12:58:19 +0000, ~BD~ <~BD~@nomail.afraid.org>
>>> wrote:
>>>
>>>> Here's a Shields UP result taken just a few minutes ago:-
>>>>
>>>> http://i60.tinypic.com/5zflz4.jpg
>>>>
>>>> I used Google Chrome with the ZenMate extension.
>>>
>>> Compromized. You have an encrypted port completely open to
>>> outside access. It's not even faking it .... OMG
>>> Is that really yours ? You lopped off half the report.
>>> []'s
>>
>> How familiar with ZenMate are you, Shadow?
>
> I'm not. I would never use anything that leaves ports open.
> That includes any remote-access software. But then, I'm just a home
> user, do not have a central server and have no reason for running said
> software.
You should, though, I believe, learn about ZenMate.
Quote:
Unblocks websites. Encrypts your browser traffic. Wifi & Hacker
protection. ZenMate is free, easy to install and use!
Here’s what you’ll get through the ZenMate VPN proxy service:
✔ Total Privacy:
We encrypt all your browser traffic
✔ Total Freedom:
Forget location restrictions. Access ANY website from ANYWHERE
✔ Total Control:
YOU choose where any website “thinks” you are.
https://chrome.google.com/webstore/detail/zenmate-for-google-chrome/fdcgdnkidjaadafnichfpabhfomcebme?hl=en
>> What part of the report would you like to see?
>
> Just the IP address, to see if it is the same as the other
> one, and if not, who the net range belongs to.
> But you do realize that (if IPs are the same) you are
> announcing to any port-scanner that you are not only online, but also
> (probably) what software you are using ? And that you are accepting
> incoming calls from anyone ?
sure about that!
> But just the mention of "Google Chrome" and I realized that
> security is not one of your goals.
> Is that scan from a regular PC or from a Chromebook ?
> Your router and your PC should be dropping the scans to those ports marked
> as "closed". Blue is not good. Should be all green.
> []'s
browser showing my true IP address (which I chose not to show you!)
Thanks for playing, Shadow! :-)
-
Shadow
>Shadow wrote:
>> On Wed, 12 Feb 2014 18:44:17 +0000, ~BD~ <~BD~@nomail.afraid.org>
>> wrote:
>>> What part of the report would you like to see?
>>
>> Just the IP address, to see if it is the same as the other
>> one, and if not, who the net range belongs to.
>
>The IP addresses were *NOT* the same!
>
the files on your PC. The traffic might be encrypted to other sites,
and even to you, but it is certainly not encrypted to them.
It is not a free service, someone is footing the bill. No such
thing as a free lunch etc.
How much do you know about the people who run the service and
who finances it ? Are you willing to risk them getting their hands on
all your passwords and bank details ?
Your call.
~BD~
> On Wed, 12 Feb 2014 23:16:09 +0000, ~BD~ <~BD~@nomail.afraid.org>
> wrote:
>
>> Shadow wrote:
>>> On Wed, 12 Feb 2014 18:44:17 +0000, ~BD~ <~BD~@nomail.afraid.org>
>>> wrote:
>
>>>> What part of the report would you like to see?
>>>
>>> Just the IP address, to see if it is the same as the other
>>> one, and if not, who the net range belongs to.
>>
>> The IP addresses were *NOT* the same!
>>
>
> So you are using a German proxy, and giving it full access to
> the files on your PC. The traffic might be encrypted to other sites,
> and even to you, but it is certainly not encrypted to them.
> It is not a free service, someone is footing the bill. No such
> thing as a free lunch etc.
know, the principal income source of Google is from advertising.
> How much do you know about the people who run the service and
> who finances it ? Are you willing to risk them getting their hands on
> all your passwords and bank details ?
> Your call.
> []'s
facility. I don't do on-line banking after all the things I've learned
since 2005! ;-)
Other than that, I wear my heart on my sleeve and have no secrets!
http://www.youtube.com/watch?v=jrLJ8uknDBE
D.
Shadow
wrote:
>My understanding is that Google is funding the facility and, as well you
>know, the principal income source of Google is from advertising.
that easily adds up to $100.000.000.000 dollars ....
~BD~
> On Fri, 14 Feb 2014 14:09:53 +0000, ~BD~ <~BD~@nomail.afraid.org>
> wrote:
>
>> My understanding is that Google is funding the facility and, as well you
>> know, the principal income source of Google is from advertising.
>
> Sure it is ..... I click on all their ads. At a cent a click,
> that easily adds up to $100.000.000.000 dollars ....
> []'s
-
The Daring Dufas
> On 15 Feb 2014; an order was obeyed by Military Assault Command Ops
> to interrogate Shadow, noted enemy of the Terran Empire and saboteur
> of Imperial Starfleet battle cruisers:
>> On Fri, 14 Feb 2014 14:09:53 +0000, ~BD~ <~BD~@nomail.afraid.org>
>> wrote:
>>
>>> My understanding is that Google is funding the facility and, as
>>> well you know, the principal income source of Google is from
>>> advertising.
>>
>> Sure it is ..... I click on all their ads. At a cent a click, that
>> easily adds up to $100.000.000.000 dollars .... []'s
>
> stock market manipulators & speculators. Also FacePalm would not make
> a cent off thier lose weight, make money now classified ads and thus
> Marked Suckerberg would be forced to live off of NSA contracts and
> Wall Street RL-begging. You know I am thinking of starting a website
> plastered with ads, it will not have any content or paying
> advertisers. Yet I won't tell NASDAQ that during my Dom Pérignon
> flowing rivers of champagne IPO.
>
I block every damn thing then I must figure out what to unblock so I can
see the content. It's funny to middle click on NoScript and see
different opinions on the safety of various scripts coming up that try
to send me and mine off into someplace way out there in The Interweb. o_O
TDD
Hot-Text
<DEAWebmaster
@dea.usdoj.gov>
wrote in message
news:XnsA2D5829FBE43Frobert2600kook
@78.46.70.116...
> interrogate Shadow, noted enemy of the Terran Empire and saboteur of
> Imperial Starfleet battle cruisers:
>> wrote:
>>>My understanding is that Google is funding the facility and, as well you
>>>know, the principal income source of Google is from advertising.
>> Sure it is ..... I click on all their ads. At a cent a click,
>> that easily adds up to $100.000.000.000 dollars ....
> market manipulators & speculators. Also FacePalm would not make a cent off
> thier lose weight, make money now classified ads and thus Marked Suckerberg
> would be forced to live off of NSA contracts and Wall Street RL-begging.
> You know I am thinking of starting a website plastered with ads, it will
> not have any content or paying advertisers. Yet I won't tell NASDAQ that
> during my Dom Pérignon flowing rivers of champagne IPO.
>
Ad Start here!
--
<!-- Start:Hot-Text_Advertiser:
< http://click.linksynergy.com/fs-bin/click?id=SglV5E3Hi4g&offerid=299527.10024778&type=3&subid=0 >
DOD: Honeywell 6-Sheet Strip-Cut Paper Shredder,
Auto Start & Stop / Manual Reverse / Manual Off Functions,
2.9 Gallon Waste Basket,
Overheat & Overload Protection
- $19.99.
< http://click.linksynergy.com/fs-bin/click?id=SglV5E3Hi4g&offerid=299527.10024779&type=3&subid=0 >
Bonus Slasher Deal: Philips DVD Player,
HDMI,
Upscaling (Refurbished)
- $19.99.
< http://click.linksynergy.com/fs-bin/click?id=SglV5E3Hi4g&offerid=299527.10024780&type=3&subid=0 >
Bonus Slasher Deal:
CuiZen Personal Blender,
17 Pieces, 8 oz. Cup,
5 16 oz. Cups,
Powerful Motor Base Unit,
Large & Small Vented Shaker Tops,
Cross & Single Blades,
Push Action & Continuous Blend Functions
- $19.99.
End:Hot-Text_Advertiser>
Shadow
wrote:
clicks on the ads when they do Google Searches. So maybe Google has
another source of income. Certainly not advertizing.
~BD~
Quote:
******
"Google is an advertising company and its biggest product is you, the
user. The company controls almost 90 per cent of the search market in
the UK, and almost 96 per cent of Google's revenue still comes from
advertising."
That's from this quite interesting article: (found after a quick Google!)
http://www.channel4.com/news/if-google-is-free-how-does-it-make-so-much-money
Do you believe that Google has a /different/ source of income?
-
Mynews [ OK US EN ]
<billyrferrell
@forgot.his.name>
wrote in message
news:WvadnWxrg4voe2LPnZ2dnUVZ5tudnZ2d
@giganews.com...
> "Robert James"
>
> Ad Start here!
>
And End up on the Internet
Dam
Hot-Text _ Advertisers
Lol
Shadow
<DEAWeb...@dea.usdoj.gov> wrote:
>On 16 Feb 2014; an order was obeyed by Military Assault Command Ops to
>Imperial Starfleet battle cruisers:
>
>
>"In 2011, 96% of Google's revenue was derived from its advertising
>programs." - Wikipedia
>
>Google's current assets based on NASDAQ, $111 billion:
4 billion from advertising, but it's worth 111 billion. I see
they teach maths in Canada ..... and that you also noticed something
is amiss.
Wonder what the other sources of income are ?
Maybe Google smuggles coke from Colombia, or opium from the
Far East ? Maybe something worse than that ? Until they come clean, we
can only guess.
FrozenNorth
> On 17 Feb 2014; an order was obeyed by Military Assault Command Ops to
> through educational brainwashing, 2 peroids of science without the
> scientific method, and 1 peroid on calculator use. Fuck Englandish, they
> want childern speaking Le Frog. I have a very mediocre intellect at
> best, but I am smarter than most Kanadians - and that terrifies me!
>
That I find scary you feel that way, I went through the system earlier
though, more I read, the more I think it has gone downhill.
Shadow
>through educational brainwashing, 2 peroids of science without the
>scientific method, and 1 peroid on calculator use. Fuck Englandish, they
>want childern speaking Le Frog. I have a very mediocre intellect at
>best, but I am smarter than most Kanadians - and that terrifies me!
WTF is happening ? Spending all the education and health
budget on spying ?
http://en.wikipedia.org/wiki/List_of_countries_by_Human_Development_Index
Shadow
<DEAWeb...@dea.usdoj.gov> wrote:
>On 18 Feb 2014; an order was obeyed by Military Assault Command Ops to
>Imperial Starfleet battle cruisers:
>
>> WTF is happening ? Spending all the education and health
>> budget on spying ?
>>
>> http://en.wikipedia.org/wiki/List_of_countries_by_Human_Development_Index
>>
>> []'s
>
>unions, politically correct social engineering, government sanctioned theft
>of private property, currency that has NO gold or silver reserves to back
>it up WHATSOEVER, people living off of debt, governments taxing more to get
>more debt, crushing of small businesses, a growing police and nanny state.
>
>I could cover all these points individually with facts and references, but
>I think that will suffice to satisfy the adequacies of a Usenet followup.
IOW, the right wing took over. I don't envy you.
Shadow
<DEAWeb...@dea.usdoj.gov> wrote:
>Methinks Ron Paul should run for Prime Minister in Kanada just to give
>us a break. That is if he could speak Hindi, Mandarin, Tagalog, Bangla,
>Broken Jamaican English, Sinhala, Arabic and African tribal dialects...
>the new national languages of this once great Englandish land.
I heard they imported the Muslims as an excuse to let the NSA
in.
Any truth in that ?
