We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Contact Forum Editor

Send an email to our Forum Editor:


PLEASE NOTE: Your name is used only to let the Forum Editor know who sent the message. Both your name and email address will not be used for any other purpose.

Tech Helproom


It's free to register, to post a question or to start / join a discussion


 

Need to Help A Friend NetBIOS over TCP/IP Attacks


RobCharles1981

Likes # 0

Hi all

Wondering if you can shed light on this one one of my Friends is having on off problems with his computer It's an Alien Ware By Dell and his O/S is Windows 7 64bit he's had this problem for a couple of years.

It's become apparent he's a victim of a NetBios attack TCP/IP Where some random person is scanning ip and ports in order to connect to his computer.

He seems to think that this random person is using Herins Boot CD on his computer.

He's using a Cable Modem Connection and has tried a few routers to combat this problem but he says these attacks keep happening.

I for one looked up about this attack and it doesn't work with Windows 7 Or Does it? He's trying so hard to get rid of this and has frequently re-installed his O/S but the issue keeps coming back.

I'm not sure of the Security Setup he has.

I've googled on how to block this from happening and I've come up with this link:

http://support.microsoft.com/kb/313314

http://marjanrepic.wordpress.com/2011/07/05/disable-netbios-over-tcpip-in-windows-7-ent/

So how do I help him further and am I on the right lines in order to help him solve the problem?

Thanks

Rob

Like this post
RobCharles1981

Likes # 0

Ok here's more insight on this problem........

I had a reply of him and came up with everything I thought known to man so I've picked out the good points...

RDave13 was right it's the game is at fault wasnt even the games exe.. it was the downloader for that game it's via UBISofts Network. He knows it's Random Users and they join the network and got his user account and impersonate him?

"they get in.. make themselves just ADMIN as long guid.. and the guid DONT match me... so those users.. arent me"

"dellsucks" Is the main account user.

One of the screenshots in this thread shows AUTHENTICATED USERS.. as having read write and execute when normally all they should have is SPECIAL PERMISSIONS.. meaning they took over the permissions... and took over user accounts... used my own account from another pc or ipad combo..

Uplay have fixed his account.

dell had a look at this for him log in during the hijacking.they logged off and called him saying to format.. but after that respawn and backups wont work due to needing to format the dell partitions.

IE.. a brand new HD will not work in an alienware .. not with respawn or backup as it needs dells 3 minor partitions.. and 1 is made with windows.. 2 are made by alienware/dell team

only solution is to get dell to send me a drive but they wont as I have 3 they still want returned

alienware runs on what is called COMMAND CENTER.. this runs its coolant.. its fans.. its cpu.. gpu.. and yes.. respawn.. respawn rocks.. imo now acronis does too.. but again.. upon installing drivers for my pc... it fails... due to command center cant install.. due to that partition being lost so while I agree about 3rd party aps.. it doesnt get my machine back to using proper cooling or anything.. I fear also they reved up my rig to fry it.. but I cant reduce the heat.. markers are very hot at idle.

Next Email reply:

Right now all partitions are erased.. .but bios is still making one.. somehow..

got a good memory cleaner for boot time?

CD is still stuck on legacy only.. even changed to RAID.. from scsi... i turned it back to SCSI and bam the cd popped up in UEFI mode...

dell says i should only run legacy ...which is a joke as it only sees 2tb max. and it came built with uefi.

problem is upon boot the cd dvd is in... china region.. and 4x burn speeds.. etc.. firmware was for sure flashed.. or mocked .. meaning not flashed but a file is telling it how to act even my isator.sys wasnt needed .. usb seems to boot properly but no cd dvd

reinstalling windows when partitions are gone... leads to 2 options REPAIR.. or FIX nothing else.. no install.. nothing so yea dell .. be wrong.. trust me.. gotta talk to alienware specialists

I WISH i knew how to make myself part of NO NETWORK. .with NO SHARING of anykind ive tried to disable file sharing on my nic.. in windows.. in firewall

nothing works .. it all gets turned back on by them.

and I told you it was users .. no computers...

I didn't send the computer screenshot .. but it showed it on the network mapped as Z:\ or \share \c: etc \ = z: tried to dismount the volume it gave me a shadow copy error saying if i did it, it would lose the data it was copying at the moment..

so I just shut it off. but there was 2 machines.. a new mouse and keyboard.. and monitor.. and a relay.. the one built in the motherboard.. turned on.. as well as an iphone hotspot it showed .. then from there the pc or mac whatever they are using.

i tried taking my bios battery out and flashing bios that way with a jumper too it said failed checksum to network bios. connect to NETWORK to search for the .bios file failed to read z:\ i have no z:
not even hidden. z:\ was made as network drive on another pc or phone I have so much info to give.. but nothing I can prove as most of the info is in logs on the other hds.. or formatted by now i saved most of their logs

one thing they did was false windows updates... they uninstall my updates and install theirs.. problem is this makes me look illegal as the certificates are then raped off me..

right now.. im on the hijacked one.. windows installed ..but only when i said repair.. it then let me pick 3 installs.. 3! thats after a format and erasing partitions! so it keeps making them every boot get this .. even without a hard drive.. bios and dvd still dont work.. and are hijacked. fun stuff.. so right now i have my rig up drivers installed minus isator and no control center.

Any ideas?

Like this post
rdave13

Likes # 0

I'm no expert in this area but it seems illogical that even after a format he still feels his system is hijacked. I don't know how feasible this is but worth a look, stop-router-dns-hijacks

Like this post
RobCharles1981

Likes # 0

Update.....

He got his game accounts back Steam is still pending

With the Uplay one I think he was able to enable the administrator account and set those security permissions on that game. Will know more for sure.

I'm still trying to work out what he's saying here:

"CD is still stuck on legacy only.. even changed to RAID.. from scsi... i turned it back to SCSI and bam the cd popped up in UEFI mode... dell says i should only run legacy ...which is a joke as it only sees 2tb max. and it came built with uefi.

problem is upon boot the cd dvd is in... china region.. and 4x burn speeds.. etc.. firmware was for sure flashed.. or mocked .. meaning not flashed but a file is telling it how to act

even my isator.sys wasnt needed .. usb seems to boot properly but no cd dvd"

I WISH i knew how to make myself part of NO NETWORK. .with NO SHARING of anykind ive tried to disable file sharing on my nic.. in windows.. in firewall

I said to check is Network Settings in the "Advanced Sharing Settings"

But He Disabled File Sharing:

they still get in.. and bump off the network to PUBLIC.. and kick me out of my own workgroup so that im still admin but not apart of that network..

Anyone know a work around that one?

Also he will get a screen shot of his GUID very soon.

Right now he's managed to get his computer up and running he's done a repair of his system because.

but only when i said repair.. it then let me pick 3 installs.. 3! thats after a format and erasing partitions! so it keeps making them every boot

get this .. even without a hard drive.. bios and dvd still dont work.. and are hijacked.

So in theory he needs to speak to Allienware to get this sorted with their recovery partitions....

I'm wondering why he didn't receive the backup media for his system there should also be a program were he should make his recovery disks?

Time will soon tell.

Cheers Rob

Like this post
RobCharles1981

Likes # 0

Ok Update he's now provided me with the screenshots:

GUID http://i.imgbox.com/abhQdGMi.jpg

I did this on the hijacked machine and there were 6 of these.. 3 of them are the pc... and windows.. etc only 1 user as admin.. no clue why u want the screenshot of the user accounts.

they even edited the variables to change drives .. temp was z:\temp not \temp or %temp% or anything even the exe and bat and such to execute were all erased.. cpu changed .. everything..

variables:

http://i.imgbox.com/adyv64MS.jpg

on the hijacked machine... where i have circled and underlined.. it said z:\windows and username was JOHNSMITH not SYSTEM.. etc on the top where it says temp .. it didnt say USERPROFILE it said z:\users\johnsmith etc or in the end it just said \* and all filters had * meaning let all go in and out even firewall disabled all rules and setup its own.. same with controls for windows and ATI management.. all taken over

He's tried the Malware scanners I've mentioned to him:

iolo does but it only points it out when its to late .. it runs active scanning and blocking but gets turned to owned by the hijackers alienware confirmed this .. it was taken over and named to john smith.

It's users that are getting onto his Network!!!!! They also took out his Phone and TV!!!

summary

if you can figure out how to erase hidden admin and shadow users.. let me know

tv and phones are controlled very easily these days .. just you can see it very fast vs a pc

the alienware partitions have been gone since before the hijacking.. when they installed a new drive(dell) they didnt partition it... it was a new drive.. dell gave me a 3tb drive free saying .. so so sorry.. but it will never work like it did before.

Can someone please point a way forward?

Thanks

Rob

Like this post
lotvic

Likes # 0

Man is he confused or what...

So the screenshots he gave you are not from the allegedly hijacked pc? (no JohnSmith on them) How many pcs, printers, mobile phones etc has he got and does he run pcs completely separately or as part of his own little home network... and do his friends come with laptops, mobile phones etc and share in that as well? Has he got Wireless enabled on Router and is sure no-one else is logging on and using that? Is it password protected WPA2 etc. He should be able to check on his Router's wireless home page to see how many devices are currently connected.

(again) This is the us/en Dell page How to install Windows 7 in an Alienware Computer ask him to do Custom install properly and in the right order this time, with the network cable unplugged from his pc. I suggest he deletes all partitions so that the 3TB drive is all unallocated then he can be sure of a clean drive. He also should take the time to learn about UAC permissions. Even a single Admin user will be denied Access to some files. It's not like XP.

As you are intent on seeing this through, maybe it would benefit you Rob if you watched the vid that is linked to. Also as you have his service tag, you will be able to see what drivers are needed to be downloaded and in what order they should be installed.

I also suggest you looking for other tutorials that may be useful for his setup. That's my limits reached now for offering constructive advice.

Note: if you could see your way to enclosing his words in "quotes" it would make for easier reading.

Like this post
RobCharles1981

Likes # 0

Hi

He since done a repair of the system and was unable to do a format, he spoke to Allienware who confirmed it had been "Hijacked" their suggestion was to have a new hard drive and motherboard installed.

Those pics are an example of what the issue was

"Quote" reinstalling windows when partitions are gone... leads to 2 options REPAIR.. or FIX

nothing else.. no install.. nothing

"Quote" but stop sending how to format partitions... read up or talk to an alienware rep... they would tell you .. you can never get the hd back the way dell sent it .. ever... not after wiping the partitions. not even on reformat with the os

its alienware special partition.. for dells alienware only..

What he's saying in another reply:

"Quote"

They are gaining access on Wi-Fi On Their Phones he provided me a link: http://superuser.com/questions/168294/building-a-media-center-pc-that-can-control-a-cable-box

Summury:

if you can figure out how to erase hidden admin and shadow users.. let me know

tv and phones are controlled very easily these days .. just you can see it very fast vs a pc

the alienware partitions have been gone since before the hijacking.. when they installed a new drive(dell) they didnt partition it... it was a new drive.. dell gave me a 3tb drive free saying .. so so sorry.. but it will never work like it did before.. etc .. blah blah"

Any Ideas?

Like this post
lotvic

Likes # 0

Rob, he's got you as confused as he is. Sorry and everything, but ~makes me feel like asking him if he still has the packing boxes.

Like this post
RobCharles1981

Likes # 0

He's going to join the forum and explain what's going on I'm going round in circles where's Secret Squirrel gone?????

Like this post
jaywoo

Likes # 0

As has been mentioned before, ensure wifi is set up with WPA2 and a good long password, turn off WPS and/or turn off wifi altogether until you can configure it securely - hook devices up with cables in the meantime. I would suggest your friend finds a local reputable PC repair guy to apply some knowledge and logic to the situation, seems to me you're both tying yourself in knots trying to figure things out.

Like this post
RobCharles1981

Likes # 0

I quite agree too it's getting me in knots I've told him to stop by here to explain things. Some of the options he told me was this:

He's currently using the Iolo System Mechanic that Dell Sold him and when he scanned this 2 Files Came up and it detected the Hijacking and shut the PC Down to Protect the files.

There is Wifi on his Computer to allow Dell and Allienware Support to connect to him to solve issues (This I think where problem is)

It's users somehow getting on this network and I can't work what!!!

I told him about the usual software Avast and all that but he says it doesn't pick anything up????

The Bottom Line is this - He's from the USA and using a company called Comcast (Cable) for this TV and Net these Hijackers took out his TV.

"Quote"

as for how they get in the wifi .. or cable.. they dont need passwords.. and all protection never helps.. on a cable box... you should see whats called RF IN and RF OUT... you cant block those... just solder them.. which is illegal.

RF= what? lol radio freq .. aka .. remote control ..

u can use a phone or ipad as a remote... think about what might come next.

they even hacked my tv itself. frying the firmware on that sob i can explain that more too

but it just seems you cats are fixed on a few points and wont move from it"

Head Scratching Moment

Like this post

Reply to this topic

This thread has been locked.



IDG UK Sites

Nokia branding killed in place of 'Microsoft Lumia': Windows Phone moves into new era

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should you update your iPhone or iPad to iOS 8? iOS 8.1 brings back Camera Roll, adds Apple Pay in...