Before I lose the ability to log on to the web I want to post this on some forums and see if anyone can help me or sees anything
in the log files that might be a clue?
Also, thanks so much for Computerhope.com I've learned so much from this site, you explain things in a simple way that a non it
person can understand.
I am a very tired, desperate woman about to lose my job over this. Nothing I've found on the web seems to be related to the hack/rootkit that's become a private little *censored* for me. I stay up half the night trying to figure it out, and then go into work in the morning with my work unfinished because my only home computer (laptop) is messed up.
I want to say: If this sounds like a hack with physical access to my laptop, it isn't.
I live alone, no one has access to my phone or laptop, and they're always with me.
LAPTOP 1: I've been going through this since April. It started when my Acer Aspire netbook / Win7 Starter (I'll call this "Laptop 1) picked up a remote hacker/root kit (?). (There were other things too, booting up was a daily adventure; My laptop screen resolution changed to one for a large desktop monitor, I lost all administrative power to a remote, nameless domain controller, on and on. My efforts to "takeown" and disable larger screen monitor resulted in that laptop being disabled.
LAPTOP 2: I have to have a laptop for work; I bought another one (using money that I should have paid bills with - you knew I didn't have money or I wouldn't have been using an Acer to begin with, right? In spite of following the letter to the rule (disabled remote access, file sharing, all those initial vulnerablities that Win7 is preloaded with. Spent my last $60 on Norton Antivirus (which was the second thing I did when I finally felt like I was locked down enough to risk an internet connection (the first was MS Updates of course)
Laptop 2 was infected within the first day.
I assumed it was something in the MS Office Excel documents (that I need for work) and had to download via email.
ANDROID PHONE 1: Then my phone, which had a great battery, began to drain within an hour or so. (Android TMobile Comet). The settings had been changed to "roaming" and some kind of "extended Blue Tooth search" . (I'm sorry, I can't remember the exact name of that original Bluetooth thing was) . Anyway, I could not shut off (Not even with hard reset). It also had a voice recorder installed that could not be shut off, and in the logs these recordings were being streamed to a remote "Private Network". I'd had this phone for a year, knew every setting on it. The recorder, a second camera, the extended Bluetooth - none of these were on ever on my phone until then.
ANDROID PHONE 2: When I tried to disable the recorder, the phone stopped recognizing my T-Mobile SIM card.
You can guess the solution they offered me a the T-Mobile store was can't you? They wanted me to buy a new phone. I had to. Galaxy Samsung II (or "Phone 2)
Took laptop 2 in to a computer repair place and they recommended removing the mother board and doing a low reformat. I disabled the internet adapters and took it home, planning to lock all the settings down before I connected to the internet.
This was great, it was amazing to see a laptop that functioned normally. It lasted about 4 hours - and then, without ever connecting to the internet - the rootkit / hacker reinstalled.
How? I decided it had to be the repair shop, the must have reinstalled original drivers (containing script? Because I could see when the script / tasks for the remote domain had
reinstalled in the event logs.) They insisted they didn't.
LAPTOP 3: Now it's July. I still haven't caught up with the unpaid June bills. I have two disabled laptops, 1 disabled phone and another phone that's streaming audio / video to a remote hacker. And - I'm going to lose my job because I can't do my work without a laptop. On a borrowed credit card I buy a laptop. I bring it home, I disable the adapters and begin securing the default remote access settings and ... I get an error message that the connection to the remote server is lost. My phone is sitting on the couch beside me, and I realize that the thing that made me notice it is that the backlight came back on.
I check the settings, Bluetooth (which I had disabled) is now on, and it's been reset to "Bluetooth Share".
I'm typing this on LAPTOP 3. Before I connected to the internet, I saved some logs (event logs and tasks) that show what happened.
A few of the programs that I've noticed seem to be used by this root/hacker:
Windows Power Shell /Desktop InI files / Skype / Windows Live Messenger and Mesh/ Zune
/ Broadcom Netlink / Bing Bar / Intell Trusted Connect Service Client
I'm posting them here.
NOTE: I am "TrustedInstaller" in these logs. The logs are after a system repair / restore (laptop shut down and wouldn't boot on restart as I was trying to gather this info into txt files and onto a USB drive).
When I did the system restore from boot and had to choose a user name I tried "TrustedInstaller" and it allowed me to use the name. I thought it might be some work-around for the admin privileges I can't keep.
--------- EVENT LOG NEW ACCOUNT -------------
Source: Microsoft-Windows-Security-Auditing
Date: 7/25/2012 8:56:41 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: 5898OGardensDr
Description:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: WIN-NRHRT7J9C9D$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x240
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name:
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-07-26T03:56:41.697413900Z" />
<EventRecordID>967</EventRecordID>
<Correlation />
<Execution ProcessID="600" ThreadID="3888" />
<Channel>Security</Channel>
<Computer>5898OGardensDr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-NRHRT7J9C9D$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-18</Data>
<Data Name="TargetUserName">SYSTEM</Data>
<Data Name="TargetDomainName">NT AUTHORITY</Data>
<Data Name="TargetLogonId">0x3e7</Data>
<Data Name="LogonType">5</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">
</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x240</Data>
<Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
-------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/25/2012 8:56:41 PM
Event ID: 4672
Task Category: Special Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: 5898OGardensDr
Description:
Special privileges assigned to new logon.
Subject:
Security ID: SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Event Xml:
<Event xmlns="
http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2012-07-26T03:56:41.697413900Z" />
<EventRecordID>968</EventRecordID>
<Correlation />
<Execution ProcessID="600" ThreadID="3888" />
<Channel>Security</Channel>
<Computer>5898OGardensDr</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege</Data>
</EventData>
</Event>
------------------------------- TASK items related to remote server ----------------------------------
Pref Track Background Config Surveyor Task:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="
http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<Description>Performance Tracing Idle Task: Background configuration surveyor</Description>
<URI>Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor</URI>
<SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FA;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<IdleTrigger>
<Enabled>true</Enabled>
</IdleTrigger>
<CalendarTrigger>
<StartBoundary>2008-05-30T03:00:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="LocalService">
<UserId>S-1-5-19</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>false</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalService">
<ComHandler>
<ClassId>{EA9155A3-8A39-40B4-8963-D3C761B18371}</ClassId>
</ComHandler>
</Actions>
</Task>
-------------------------------
Takes Control Task:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="
http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<Version>1.0</Version>
<Description>This task updates the cached list of folders and the security permissions on any new files in a user’s shared media library.</Description>
<URI>Microsoft\Windows\Windows Media Sharing\UpdateLibrary</URI>
<SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<EventTrigger>
<Enabled>true</Enabled>
<Subscription><QueryList>
<Query
Id="0"
Path="System"
>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-WMPNSS-Service'] and (EventID=14210)]]</Select>
</Query>
</QueryList></Subscription>
</EventTrigger>
</Triggers>
<Principals>
<Principal id="AuthenticatedUsers">
<GroupId>S-1-5-11</GroupId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="AuthenticatedUsers">
<Exec>
<Command>"%ProgramFiles%\Windows Media Player\wmpnscfg.exe"</Command>
</Exec>
</Actions>
</Task>
------------------
Recording Restart Task:
<Source>Microsoft Corporation</Source>
<Date>1982-01-15T16:30:00-08:00</Date>
<Description>Restarts recordings after a power failure.</Description>
<URI>Microsoft\Windows\Media Center\RecordingRestart</URI>
<SecurityDescriptor>D:(A;;FRFWSDWDWO;;;BA)(A;;FRFWSDWDWO;;;SY)(A;;FRFWFXDTDCSDWD;;;NS)(A;;FXFR;;;AU)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<BootTrigger>
<Enabled>true</Enabled>
</BootTrigger>
</Triggers>
<Principals>
<Principal id="NetworkService">
<UserId>S-1-5-20</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>false</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>6</Priority>
</Settings>
<Actions Context="NetworkService">
<Exec>
<Command>%SystemRoot%\ehome\ehrec</Command>
<Arguments>/RestartRecording</Arguments>
</Exec>
</Actions>
</Task>
---------------------------EVENT LOG POWER SHELL EVENTS------------------
Level,Date and Time,Source,Event ID,Task Category
Information,7/25/2012 8:55:57 PM,PowerShell,403,Engine Lifecycle,"Engine state is changed from Available to Stopped.
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=10
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=2.0
RunspaceId=a3fefa91-1f9c-4aee-86da-a3cfbb1c9386
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:54 PM,PowerShell,400,Engine Lifecycle,"Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=9
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=2.0
RunspaceId=a3fefa91-1f9c-4aee-86da-a3cfbb1c9386
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Certificate"" is Started.
Details:
ProviderName=Certificate
NewProviderState=Started
SequenceNumber=8
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Variable"" is Started.
Details:
ProviderName=Variable
NewProviderState=Started
SequenceNumber=7
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Registry"" is Started.
Details:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=6
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Function"" is Started.
Details:
ProviderName=Function
NewProviderState=Started
SequenceNumber=5
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""FileSystem"" is Started.
Details:
ProviderName=FileSystem
NewProviderState=Started
SequenceNumber=4
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Environment"" is Started.
Details:
ProviderName=Environment
NewProviderState=Started
SequenceNumber=3
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""Alias"" is Started.
Details:
ProviderName=Alias
NewProviderState=Started
SequenceNumber=2
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
Information,7/25/2012 8:55:53 PM,PowerShell,600,Provider Lifecycle,"Provider ""WSMan"" is Started.
Details:
ProviderName=WSMan
NewProviderState=Started
SequenceNumber=1
HostName=ConsoleHost
HostVersion=2.0
HostId=a0b19cdd-f141-427d-bfb7-7684b41f1d4c
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine="
------------------------------------- Command Prompt Info --------------------------
C:\Windows\system32>IPCONFIG
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{A48B0D30-C0EC-4443-BA28-EC95E44DB029}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Windows\system32>NETSTAT -A
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:445 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49152 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49153 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49154 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49155 5898OGardensDr:0 LISTENING
TCP 0.0.0.0:49157 5898OGardensDr:0 LISTENING
TCP [::]:135 5898OGardensDr:0 LISTENING
TCP [::]:445 5898OGardensDr:0 LISTENING
TCP [::]:49152 5898OGardensDr:0 LISTENING
TCP [::]:49153 5898OGardensDr:0 LISTENING
TCP [::]:49154 5898OGardensDr:0 LISTENING
TCP [::]:49155 5898OGardensDr:0 LISTENING
TCP [::]:49157 5898OGardensDr:0 LISTENING
TCP [::1]:49156 5898OGardensDr:0 LISTENING
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:49153 *:*
UDP [::1]:1900 *:*
UDP [::1]:49152 *:*
C:\Windows\system32>TASKLIST
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 24 K
System 4 Services 0 304 K
smss.exe 260 Services 0 816 K
csrss.exe 412 Services 0 2,836 K
csrss.exe 472 Console 1 23,088 K
wininit.exe 480 Services 0 1,216 K
winlogon.exe 528 Console 1 4,452 K
services.exe 576 Services 0 6,352 K
lsass.exe 600 Services 0 6,848 K
lsm.exe 608 Services 0 3,064 K
svchost.exe 712 Services 0 5,256 K
svchost.exe 788 Services 0 6,172 K
svchost.exe 404 Services 0 26,744 K
svchost.exe 564 Services 0 8,612 K
svchost.exe 1096 Services 0 92,960 K
svchost.exe 1144 Services 0 15,112 K
wlanext.exe 1900 Services 0 2,572 K
conhost.exe 1908 Services 0 768 K
svchost.exe 1944 Services 0 19,276 K
MsMpEng.exe 432 Services 0 35,024 K
spoolsv.exe 708 Services 0 6,008 K
svchost.exe 952 Services 0 7,392 K
armsvc.exe 700 Services 0 1,680 K
dsiwmis.exe 1360 Services 0 4,004 K
ePowerSvc.exe 1512 Services 0 3,472 K
LMutilps32.exe 1524 Console 1 4,596 K
HeciServer.exe 1576 Services 0 1,912 K
Jhi_service.exe 1584 Services 0 2,388 K
UpdaterService.exe 440 Services 0 2,100 K
rpcnetp.exe 1704 Services 0 2,300 K
Ath_WlanAgent.exe 2036 Services 0 3,388 K
SearchIndexer.exe 2284 Services 0 20,684 K
taskhost.exe 2996 Console 1 3,920 K
dwm.exe 3064 Console 1 73,108 K
explorer.exe 1708 Console 1 47,820 K
SeaPort.EXE 2960 Services 0 2,560 K
svchost.exe 1504 Services 0 4,548 K
IAStorDataMgrSvc.exe 1448 Services 0 8,756 K
LMS.exe 1816 Services 0 2,444 K
UNS.exe 2340 Services 0 4,684 K
wmpnetwk.exe 1912 Services 0 2,496 K
ZuneLauncher.exe 2504 Console 1 3,364 K
msseces.exe 1600 Console 1 6,912 K
hkcmd.exe 896 Console 1 3,108 K
igfxpers.exe 2400 Console 1 6,332 K
RAVCpl64.exe 2268 Console 1 7,216 K
igfxsrvc.exe 1672 Console 1 4,428 K
ETDCtrl.exe 3076 Console 1 6,912 K
ePowerTray.exe 3084 Console 1 5,088 K
igfxext.exe 3368 Console 1 2,788 K
ETDCtrlHelper.exe 3440 Console 1 2,668 K
unsecapp.exe 3448 Console 1 3,480 K
WmiPrvSE.exe 3492 Services 0 5,172 K
ePowerEvent.exe 3552 Console 1 1,836 K
LManager.exe 3772 Console 1 7,448 K
MMDx64Fx.exe 3844 Console 1 3,352 K
LMworker.exe 3896 Console 1 2,616 K
cmd.exe 3036 Console 1 2,964 K
conhost.exe 2720 Console 1 8,604 K
notepad.exe 3668 Console 1 20,696 K
tasklist.exe 3828 Console 1 5,492 K
WmiPrvSE.exe 3892 Services 0 6,036 K
DisplayName= <display name>
password= <password>
C:\Windows\system32>sc config lanmanworkstation start= disabled
[SC] ChangeServiceConfig SUCCESS
wmic:root\cli>wmic.exe
wmic.exe - Alias not found.
wmic:root\cli>process get
Caption CommandLine CreationClassName CreationDate CSCreationClassName CSName Description ExecutablePath
System Idle Process Win32_Process Win32_ComputerSystem 5898OGARDENSDR System Idle Process
System Win32_Process 20120728110202.651205-420 Win32_ComputerSystem 5898OGARDENSDR System
smss.exe \SystemRoot\System32\smss.exe Win32_Process 20120728110202.760405-420 Win32_ComputerSystem 5898OGARDENSDR smss.exe
csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 Win32_Process 20120728110214.039225-420 Win32_ComputerSystem 5898OGARDENSDR csrss.exe C:\Windows\system32\csrss.exe
csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 Win32_Process 20120728110215.942428-420 Win32_ComputerSystem 5898OGARDENSDR csrss.exe C:\Windows\system32\csrss.exe
wininit.exe wininit.exe Win32_Process 20120728110215.989228-420 Win32_ComputerSystem 5898OGARDENSDR wininit.exe C:\Windows\system32\wininit.exe
winlogon.exe winlogon.exe Win32_Process 20120728110216.504029-420 Win32_ComputerSystem 5898OGARDENSDR winlogon.exe C:\Windows\system32\winlogon.exe
services.exe C:\Windows\system32\services.exe Win32_Process 20120728110217.455631-420 Win32_ComputerSystem 5898OGARDENSDR services.exe C:\Windows\system32\services.exe
lsass.exe C:\Windows\system32\lsass.exe Win32_Process 20120728110217.861232-420 Win32_ComputerSystem 5898OGARDENSDR lsass.exe C:\Windows\system32\lsass.exe
lsm.exe C:\Windows\system32\lsm.exe Win32_Process 20120728110217.923632-420 Win32_ComputerSystem 5898OGARDENSDR lsm.exe C:\Windows\system32\lsm.exe
svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch Win32_Process 20120728110220.794037-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k RPCSS Win32_Process 20120728110221.652038-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
MsMpEng.exe "C:\Program Files\Microsoft Security Client\MsMpEng.exe" Win32_Process 20120728110221.854839-420 Win32_ComputerSystem 5898OGARDENSDR MsMpEng.exe C:\Program Files\Microsoft Security Client\MsMpEng.exe
svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted Win32_Process 20120728110222.978041-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\System32\svchost.exe
svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted Win32_Process 20120728110223.446042-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\System32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k netsvcs Win32_Process 20120728110223.461642-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\system32\svchost.exe
svchost.exe C:\Windows\system32\svchost.exe -k LocalService Win32_Process 20120728110225.255645-420 Win32_ComputerSystem 5898OGARDENSDR svchost.exe C:\Windows\sy
