here we go.....
did another destructive reformat last night. immediately, the black command screen flashed randomly, and when the reformat finished (just like other times) i saw it load a bunch of stuff (just like when you go into safe mode and all that stuff flashes by). so nothing has changed; that thing still shows up. at the bottom left of my screen a small window flashed, looked like a user icon, a little head or two but it flashed by fast and i couldn't pin it down what that was.
downloaded and updated avira after uninstalling norton via add/remove programs. no virus found. then did all the updates manually, so am up to date with all sp's and security patches. did complete scans, rootkit, registry, etc. nothing.
so far i can still get on the net, but am writing this from the library. i'm going to give you some info about what is happening.
first thing: even in safe mode, as administrator, i cannot change or delete the owner administrator account. those permissions are blocked.
these services listed below are all supposed to, by default, be logged on by either the local system or local service. instead, they are taken over by something called (all in caps) NT AUTHORITY\Local Service and are password protected. same thing as last time. first it takes over my services and the user accounts. then it takes ownership of the hard drive. etc etc. here are the services it is running that it's not supposed to be controlling:
RPC (Remote Procedure Call - without that -- no internet access. many other services depend on it)
ASP.Net State Service
Alerter
Application Layer Gateway
SSDP
Smart Card
TCP/IP - another important one for internet service
UP&P
Uninterruptible Power
Web Client
all of those should NOT be run by NT AUTHORITY>
next, it will start shutting down these services starting with RPC. and then it will start taking ownership and then i will start getting 'access denied' or 'folder is empty' if all goes as before. it seems to be going that way.
also, i have been looking around in the start menu. under "all programs" >startup > is something caled run_startmenu - file path:
C:\Documents and Settings\All Users\ Start Menu\P
i've never noticed that before, and all the other stuff has 2004 create dates so i feel that whatever/whoever is up to it again, and that this may be how autoruns are getting started in boot up. just a wild guess from a desperado clutching at anything that may make sense or be important to tell you.
i have, in the past, tried to take back the default log ons for the services; changed them manually, one by one. and i have changed ownership back to myself as administrator and got rid of 'administrators' and 'current user' and that user with S- and a bunch of letters and numbers. i have also tried doing nothing. it all ends up the same way it seems.
let me know if you feel we should continue trying to solve the mystery, or if i should just put the computer in the trash or drop it from a second story window. i know i don't want to obsess over it again, and if it's a lost cause, my energy might be better spent trying to find a new hand me down puter rather than trying to fix a terminally infected one.
i'm ok with whatever, either way, so follow your gut! i leave it to your decision.
i'll check at home tonight to see your response. thanks, jwang01!
Edited by pixillated, 29 April 2010 - 07:38 PM.