We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Contact Forum Editor

Send an email to our Forum Editor:


PLEASE NOTE: Your name is used only to let the Forum Editor know who sent the message. Both your name and email address will not be used for any other purpose.

Tech Helproom


It's free to register, to post a question or to start / join a discussion


 

Need to Help A Friend NetBIOS over TCP/IP Attacks


RobCharles1981

Likes # 0

Hi all

Wondering if you can shed light on this one one of my Friends is having on off problems with his computer It's an Alien Ware By Dell and his O/S is Windows 7 64bit he's had this problem for a couple of years.

It's become apparent he's a victim of a NetBios attack TCP/IP Where some random person is scanning ip and ports in order to connect to his computer.

He seems to think that this random person is using Herins Boot CD on his computer.

He's using a Cable Modem Connection and has tried a few routers to combat this problem but he says these attacks keep happening.

I for one looked up about this attack and it doesn't work with Windows 7 Or Does it? He's trying so hard to get rid of this and has frequently re-installed his O/S but the issue keeps coming back.

I'm not sure of the Security Setup he has.

I've googled on how to block this from happening and I've come up with this link:

http://support.microsoft.com/kb/313314

http://marjanrepic.wordpress.com/2011/07/05/disable-netbios-over-tcpip-in-windows-7-ent/

So how do I help him further and am I on the right lines in order to help him solve the problem?

Thanks

Rob

Like this post
RobCharles1981

Likes # 0

Thanks Dave we are onto Something here I will tell him.

Like this post
Secret-Squirrel

Likes # 0

"He' sent me screen shots of the problem he's having and it's no Virus he says it's a "Person" on his account or Computer"

I've looked at the screenshots you've posted and noticed the usernames that begin with S-1-5-21. That long string of letters and numbers is called a GUID (Globally Unique IDentifier) and Windows uses it internally as an alias for a real user account on the PC. What's being displayed there isn't necessarily sinister, and from what I can gather, occurs when Windows has been reinstalled and the same username is created each time so you end up with multiple GUIDs that point to the same user account. It's possible that all those GUIDs actually point to your friend's Windows account or an account that is normally present on a Windows 7 PC.

By looking in the Windows Registry, it should be possible to identify a user account from its GUID. Navigate to the following key:

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Click on the sub-key in the left-hand pane for the GUID you're interested in then look at the data for ProfileImagePath in the right-hand pane. It should show something like C:\Users\XXX where XXX is the name of a user.

Get your friend to try this for each GUID he's worried about and report back what he discovers.

From what you've posted so far, I still can't see any evidence that he's been hacked into.

Like this post
RobCharles1981

Likes # 0

Thanks for the input Ile ask him and report back with the information.

Like this post
RobCharles1981

Likes # 0

Guys to update on this The Security identification from another source told me of this link about it:

http://pcsupport.about.com/od/registry/ht/find-user-security-identifier.htm

And from what RDave is saying can he simply remove these profiles from his computer?

Like this post
Secret-Squirrel

Likes # 0

"............from another source told me of this link about it:"

Rob, that link contains the same information that I posted yesterday and you haven't returned with the details I asked for. It took me all of ten seconds to open Regedit and discover the username associated with a GUID so I don't understand why you guys can't do it and report back your findings.

"And from what RDave is saying can he simply remove these profiles from his computer?"

Not until we know which user accounts those GUIDs belong to. Like I said yesterday, they could point to your friend's Windows account or a Windows 7 system account and removing them could cause catastrophic problems.

Like this post
RobCharles1981

Likes # 0

Ok I'm On it.

Like this post
RobCharles1981

Likes # 0

He replied today and will send on the info something I picked out....

again this is a real person . .2 people.. very personal.. very much take over and yes false users with all the right permissions

note: they remove all active users admin from workgroup.. then allow the hidden user or user template to be admin ..

Will update when I have more...

Thanks.

Like this post
rdave13

Likes # 0

Secret-Squirrel is the best here for help no doubt about it.

When your friend re-installed the OS did he go back to any online game? That is where the link should be in my humble opinion. Either a game server or any other server he logs in to. It could well be that the hacker is connected to the server that connects to your friend's PC.

If you think a game server then notify the admin on the site. I've no idea how to do this as I'm not a gamer, but you should be able to notify of any abnomaltiy in security?

Like this post
RobCharles1981

Likes # 0

This was a reply I had the other day picked out some points.

very much take over and yes false users with all the right permissions note: they remove all active users admin from workgroup.. then allow the hidden user or user template to be admin .. something with ... syncing.. then you can see it all again but only with linux.

they are running gpart a linux partition tool a few of my drives I cant even see as they show 20 diff partitions with 20gb each instead of the 2 paritions it had.

Today his reply:

The admin rights

the other drive is a SATA to usb connector.. with autoplay disabled its a great self recovery for non exe or archives

but I dont have access anymore to either drives, as this was a one time shot on my dads machine (his is still working but I dont live here)

cant get windows reloaded as they fried and firmware jacked the A. bios B. Dvd drive

the dvd drive is only in legacy mode not uefi.. yet im in uefi.

and booting from the dvd sends it to a network drive.. and if one doesnt exist.. it partitions 100mb to make for "fake windows" its like just a shell of 2000 edition .. not even xp or win7

cant repair.. restore .. nothing

so i moved every file over to a single zip in 900000 parts lol and then ran my own HIRENS BOOT from usb stick legacy mode..

BOOT ... AND NUKE.. its called..

google that one

sadly this erases any future ability to make recovery possible .. not JUST of the old data but of making even recovery points.. as dell drives for the alienware aurora series has 4 partitions ..2 for alienware dell stuff and 2 for windows..

all only a total of 200mb to 1gb depending

one is only 27mb .. uefi is a bit larger

but after that.. even dell will tell you.. you can never get RESPAWN (recovery for alienware) to run

so windows recovery discs.... backup .. all these things.. WONT WORK.

He Tried to nuke the system - only i couldnt use windows itself to do it

and respawn will never work again.. ever.. as i cant make a partition with the stuff that came from dell, unless there are pros that do.. dell even said im screwed.

while they are running gpart a linux partition tool

a few of my drives I cant even see as they show 20 diff partitions with 20gb each instead of the 2 paritions it had.

Any Clues?

Like this post
Secret-Squirrel

Likes # 0

Don't take offence Rob but I'm unable to help your friend any further.

I've seen the threads you've started on behalf of your friend on other forums, and like here, they simply don't make much sense - most of what he's saying shows an inadequate understanding of Windows, networks, and computers in general, with a large helping of what appears to be paranoia thrown in. Take one example - he talks about being infected and hacked into over a two-year period and yet Avast, MSE, Malwarebytes, Norton and McAfee never find anything.

It seems to me that in his efforts to eliminate hackers and malware (that probably never existed in the first place) he's completely shagged his PC. Because of your friend's current situation, the best advice is from the chap on the other forum who suggested ordering the Recovery media from Dell, wiping the hard drive, and starting afresh.

Like this post

Reply to this topic

This thread has been locked.



IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

2015 visual trends: 20 leading designers & artists reveal what should be inspiring us in 2015

IDG UK Sites

10 iPhone app exclusives that make Android users jealous