Desperately Seeking Help Linux/Windows knowledge -- Sanity at Stake

1 Attachment(s)

Hi.

The above title is a little dramatic I realize, but it is nonetheless close to the truth. In fact, this is the second forum from which I have sought help (fyi, I am new here and this is my first post), however this is my first Linux forum and I hope that it will be more successful.

This is a very long story, but I will try to summarize as succinctly as possible.

First, I am not a "native" Linux user. I cut the Windows cord finally only 6 months ago. I am currently writing this post from a Mint Linux distro, but I had used Ubuntu as a dual boot until this security problem

However, while I am not terribly well-versed yet in Linux, I have been using (and very effortlessly so) computers for 20-25 years. I was a programmer for awhile in my teens. Started programming in BASIC in junior high (and started to learn assembly), then COBOL during high school because of a job I had, then VB during college. HTML/CSS came next, then Python, and currently trying to get through the initial pangs of the glyph like feel of Perl -- however, I am especially excited to get my hands dirty with it given its significance in Unix/Linux.

I am making a career transition at the moment from attorney to "not quite sure yet" in the IT area. So, overall my Linux skills are about a 2/10 (but part of my stagnant growth is due the problem I am having--the reason for this post). OK, that is a little background on me. Thank you for reading. Now to my problem.

About 5 months ago, I was learning various wireless protocols and was using some tools to learn tcp and udp packet structure, etc... Somehow and at some point along the way my only pc a laptop -- which as an fyi, was a dual boot machine with Ubuntu Intrepid and Windows 7-- had a security breach. I thought then that it might just be a virus/trojan/worm or something I had to hunt down and eradicate. However, it turns out that it could very well be something worse -- a total hijacking, which I cannot seem to get rid of....to this day.

After a month of trying to get my laptop to a normal functioning state, I decided to seek out help on the web. Since I was using a beta Windows version and suspected a possible security flaw, I first went to sevenforums.com to discuss my problem. While everyone there is helpful and very knowledgeable in Windows, no one has yet to offer me any solutions which I have not already tried.

My theory as to what is taking place -- based on 4 months of trying to work on this -- is that the intruder is using something rather novel (I will explain this below) to gain initial penetration (incidentally, this intruder/hijacker is not particularly malicious or destructive, but rather only seems to automate much of his presence until he needs to actively do something in his defense. He really only restricts my using Windows when it interferes with whatever he is using my laptop for -- and this is still unclear to me. On the windows forum, I have posted countless screenshots and other data showing very strange and unusual states in Windows, but the group at large seems to think I have not taken the right steps to clean my machine.

My theory, and it seems no one believes me (or at least no one who has any real knowledge in IT/computers), is that for initial access, this intruder uses bluetooth from an AP to my laptop assisted by a trojan that --because he will actively get involved as needed-- is infinitely mutatable and relocatable. From that point he establishes a typical TCP/UDP connection (as much connection as UDP will allow anyway), and in Windows, I am then on a doman/Active Directory, and even my Administrator privileges cannot go beyond his Server-level admin privileges.

As strange as that may seem to anyone who is reading this, he is not only in Windows, but Linux as well. I first became aware of this when I would use my Backtrack USB or CD. After the infection, I never had root privileges in any linux distro I had--whether I was using a LIVE CD or a full installation. And given the nature of Backtrack, he will severely restrict my use of either Backtrack 3 or 4, as I would guess the tools contained on those CDs might expose him. But my first clue was that I was no longer (and never since) had root privileges in any Distro I have used. Sometimes I would have the name "root", but the PID of 1000. Or he would get into the boot process or LIVE installation before me with privileges and lock things or set things up so I could not use them as expected (yet I was then root with the apparent PID of 0, but somehow he had made it impossible for me to fix what he change (I now have a solid and pretty secure ethernet connection, but back when I relied on wireless, this whole mess rendered my laptop almost useless. He has also made devices and commands in Linux disappear --and this is where my inadequate Linux skills show because I do not know what to do to retrieve them.

In windows, I end up trying to take back control of my laptop by terminating processes or services which I have learned he needs, which then results in a battle for the control of my pc, which sooner or later crashes due to the fact that whatever I have done (presumably) has damaged the system or he chooses to prevent me from booting into windows because the system can no longer function correctly to support is full functionality.

Being used to my dual-boot setup, originally I had to reinstall both OS's countless times. Finally, since I knew that his means of access and existence were based on Windows code, I stopped doing full installs of Ubuntu, and have since then been using a Mint Linux (Deb/Ubuntu based) LIVE CD for Linux (which is more frequent than before since Windows use always end up with a drive-wipe and a reinstallation) and just reinstalled Windows 7 or Vista (if I had to ensure that the installatino of an OS was 100% clean). The one thing I do know about Linux is that it is far more simpler -- with the proper skill level-- to isolate and track someone like this than it is in windows. However, he is extrememely intelligent in both OSs, and as said has higher privileges than me in both as well. I basically have a roommate I do not want, and try as I might, I cannot exorcise him from this laptop. Before I go further, look at the attached screenshot of a terminal window where I executed "ps a". I think to anyone who is familiar with Linux and X-windows, you can see that something sticks out like the proverbial sore thumb. See attached.

I know this is unbelieveable, but last weekend, I went so far as to swap out the old 250GB Toshiba HD for a brand new WD 320GB drive, then installing Windows Vista from factory CDs. Either the trojan he used was still somehow in memory, or bluetooth or another protocol I am not familiar with (nor are the Windows people) is still allowing him access in some very arcane way

While I am in this LIVE CD right now, I had planned on going to run ps -i and ps -ef to show you why I think he can change his privileges before I login....but I am now unable to use the command "ps". :x

I know this is very hard to believe, but if you take my word that the screenshot is authentic (and I would love to know what else you can derive from that output), then if you are aggressive and can instruct me what to do, I and my sanity, would be eternally grateful.

In any case, please tell me what you think.

Thank you very much, and I apologize that my first post could not be one of contribution instead of asking for assistance,,,

Paul

Howdy and Welcome ConnerX. Have you ran rkhunter yet in Mint? While I probably don't have the skillset to bail ya out of your predicament. I did enjoy reading your post. That is some Intro.

You should be able to find rkhunter in Synaptic Package manger in your Linux Mint. The 2 rkhunter links I posted are how tos so you can run it. I suggest you set a firewall also using Firestarter which is a GUI frontend for iptables firewall. Here is another How to for Firestarter Setup.

And since ya can never have to many How to Here Is Another

Good Luck ConnerX

EDIT: Your screenshot won't show up because you are new to the forum. It is because of Spam protection that this is so.:smile:

Thank you very much for your suggestion, but while the intruder was not around for a bit, the second I opened a terminal, he was back. By the time I got to ./install rkhunter my user rights to install the rootkit detector came up "permission denied".

That is why I cannot do anything in Linux, in windows, and believe it or not, I had a flash drive with the infection/rootkit on it (I assuming this anyway), and while at a commercial internet cafe with workstations, I used the flash drive. Moments later all my rights on that system were denied in the same manner. I know that in addition to bluetooth, which is for wireless purposes, he uses primary UDP embedded in ipv6. This makes it easy for him to get past NATs and firewalls too.

Wow. Well then. Do you have the ability to open Synaptic Package Manger and install rkhunter from there?

Well I feel stupid....it was in synaptics. I installed it and it is running.

Although....I have my doubts. I will let you know.

But it has been four months that I have been dealing with it. In windows, this guy or these people (or kids) or whoever.... they can get hooks into everything before I login, they have already made configurations if necessary to their advantage.

I do not know how long it takes to run... But I will post when it does. Meanwhile... check out the attached from running this command: ps -A e -l -y

It is just all processes, with the environment displayed after the command in each process, then the -l and -y are formatting switches (I believe).

I see a couple of words which really spook me in this output. One is SSH, The other is Bluetooth. Since my theory has been that either my motherboard or memory takes a VERY long time to lose its charge (which means it holds the code that is causing my problem), OR the people responsible for the trojan are using another means (at least initally) to access my laptop). In the past 4 months, I have removed my wireless NIC and the problem remains--active involvement by someone or a code that is running (and really smart!). Then after I swapped out my old drive for a brand new drive, I was nearing implosion with how confused I was that this problem won't seem to go away. So after reading for several hours on MSDN (microsoft developers info) the only thing I could come up with to explain a method (reasonably plausible anyway) to get to my lap top when my wireless NIC is not installed and I am not connected to an ethernet LAN or dsl or anything wired, would be another RF. Infared would not work because it is way too short-range and the line-of-sight requirements are too strict. However, Bluetooth can go up to a mile with enough power behind it; it is a radio frquency and can be carried by APs from the internet, and further, the line of sight needs are a lot less. One problem (or rather debate) I am having with other people (Windows people) is that they insist that there needs to be mutual authentication for anything like this to take place. Being someone with a "hacker" mindset, I would think that anyone who has an "absolute" when it comes to computer/internet security is not really going to be very good at security. Generally, at the Windows forum, where I am also posting about this, this theory is met with anything from rejection to laughter.

I have been all over Chicago (where I live) and no matter where I am, this "bug" (which is likely automated a good deal of the time--but also it is used to assist in direct access to my pc to do things to disrupt whatever I am doing because for whatever reason he/she/they do not want me to do it. Or they may reconfigure things and set ACL or group policies so I can no longer run an app, access a directory, etc. Which is why I typically have to reinstall.

But in Linux--which I will say is far less affected by this -- is by no means immune. As I have said (I think) in my other post, when I did not have an ethernet connection and relied on wireless, I had a real tough time getting any work done because I was constantly fighting for control of my laptop so I could get access to the internet. In Linux, eth1, my wireless adapter, would suddenly just not be output when I used ifconfig. I am sure that it is something someone with particularly strong linux skills could do (or maybe not, because I do not have very strong skills), but I do know that I need this thing gone and quick.....I am going to end up homeless and with some mental disorder....

Look at this output...I do not understand a lot of the switches and what the process or command that is running is supposed to be doing, so if you have any info you could share, it would be immensely helpful.

Below is the output from rkhunter. there are two suspect files (but I am not sure what to do with them). The amusing thing is that I am on a LIVE CD, not an installation. if these two files are actually malicious, imagine what they could do to a full installation (if i do not get a really good firewall)....

mint@mint ~ $ sudo rkhunter -c
[ Rootkit Hunter version 1.3.2 ]

Checking system commands...

Performing 'strings' command checks
Checking 'strings' command [ OK ]

Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preload file [ Not found ]
Checking LD_LIBRARY_PATH variable [ Not found ]

Performing file properties checks
Checking for prerequisites [ OK ]
/bin/bash [ OK ]
/bin/cat [ OK ]
/bin/chmod [ OK ]
/bin/chown [ OK ]
/bin/cp [ OK ]
/bin/date [ OK ]
/bin/df [ OK ]
/bin/dmesg [ OK ]
/bin/echo [ OK ]
/bin/ed [ OK ]
/bin/egrep [ OK ]
/bin/fgrep [ OK ]
/bin/fuser [ OK ]
/bin/grep [ OK ]
/bin/ip [ OK ]
/bin/kill [ OK ]
/bin/login [ OK ]
/bin/ls [ OK ]
/bin/lsmod [ OK ]
/bin/mktemp [ OK ]
/bin/more [ OK ]
/bin/mount [ OK ]
/bin/mv [ OK ]
/bin/netstat [ OK ]
/bin/ps [ OK ]
/bin/pwd [ OK ]
/bin/readlink [ OK ]
/bin/sed [ OK ]
/bin/sh [ OK ]
/bin/su [ OK ]
/bin/touch [ OK ]
/bin/uname [ OK ]
/bin/which [ OK ]
/bin/dash [ OK ]
/usr/bin/awk [ OK ]
/usr/bin/basename [ OK ]
/usr/bin/chattr [ OK ]
/usr/bin/cut [ OK ]
/usr/bin/diff [ OK ]
/usr/bin/dirname [ OK ]
/usr/bin/dpkg [ OK ]
/usr/bin/dpkg-query [ OK ]
/usr/bin/du [ OK ]
/usr/bin/env [ OK ]
/usr/bin/file [ OK ]
/usr/bin/find [ OK ]
/usr/bin/GET [ OK ]
/usr/bin/groups [ OK ]
/usr/bin/head [ OK ]
/usr/bin/id [ OK ]
/usr/bin/killall [ OK ]
/usr/bin/last [ OK ]
/usr/bin/lastlog [ OK ]
/usr/bin/ldd [ OK ]
/usr/bin/less [ OK ]
/usr/bin/locate [ OK ]
/usr/bin/logger [ OK ]
/usr/bin/lsattr [ OK ]
/usr/bin/lsof [ OK ]
/usr/bin/mail [ OK ]
/usr/bin/md5sum [ OK ]
/usr/bin/mlocate [ OK ]
/usr/bin/newgrp [ OK ]
/usr/bin/passwd [ OK ]
/usr/bin/perl [ OK ]
/usr/bin/pstree [ OK ]
/usr/bin/rkhunter [ OK ]
/usr/bin/runcon [ OK ]
/usr/bin/sha1sum [ OK ]
/usr/bin/size [ OK ]
/usr/bin/sort [ OK ]
/usr/bin/stat [ OK ]
/usr/bin/strace [ OK ]
/usr/bin/strings [ OK ]
/usr/bin/sudo [ OK ]
/usr/bin/tail [ OK ]
/usr/bin/test [ OK ]
/usr/bin/top [ OK ]
/usr/bin/touch [ OK ]
/usr/bin/tr [ OK ]
/usr/bin/uniq [ OK ]
/usr/bin/users [ OK ]
/usr/bin/vmstat [ OK ]
/usr/bin/w [ OK ]
/usr/bin/watch [ OK ]
/usr/bin/wc [ OK ]
/usr/bin/wget [ OK ]
/usr/bin/whatis [ OK ]
/usr/bin/whereis [ OK ]
/usr/bin/which [ OK ]
/usr/bin/who [ OK ]
/usr/bin/whoami [ OK ]
/usr/bin/mawk [ OK ]
/usr/bin/lwp-request [ OK ]
/usr/bin/bsd-mailx [ OK ]
/usr/bin/w.procps [ OK ]
/sbin/depmod [ OK ]
/sbin/ifconfig [ OK ]
/sbin/ifdown [ OK ]
/sbin/ifup [ OK ]
/sbin/init [ OK ]
/sbin/insmod [ OK ]
/sbin/ip [ OK ]
/sbin/lsmod [ OK ]
/sbin/modinfo [ OK ]
/sbin/modprobe [ OK ]
/sbin/rmmod [ OK ]
/sbin/runlevel [ OK ]
/sbin/sulogin [ OK ]
/sbin/sysctl [ OK ]
/sbin/syslogd [ OK ]
/usr/sbin/adduser [ OK ]
/usr/sbin/chroot [ OK ]
/usr/sbin/cron [ OK ]
/usr/sbin/groupadd [ OK ]
/usr/sbin/groupdel [ OK ]
/usr/sbin/groupmod [ OK ]
/usr/sbin/grpck [ OK ]
/usr/sbin/nologin [ OK ]
/usr/sbin/pwck [ OK ]
/usr/sbin/tcpd [ OK ]
/usr/sbin/unhide [ Warning ]
/usr/sbin/useradd [ OK ]
/usr/sbin/userdel [ OK ]
/usr/sbin/usermod [ OK ]
/usr/sbin/vipw [ OK ]
/usr/sbin/unhide-linux26 [ Warning ]

[Press <ENTER> to continue]

Checking for rootkits...

Performing check of known rootkit files and directories
55808 Trojan - Variant A [ Not found ]
ADM Worm [ Not found ]
AjaKit Rootkit [ Not found ]
aPa Kit [ Not found ]
Apache Worm [ Not found ]
Ambient (ark) Rootkit [ Not found ]
Balaur Rootkit [ Not found ]
BeastKit Rootkit [ Not found ]
beX2 Rootkit [ Not found ]
BOBKit Rootkit [ Not found ]
CiNIK Worm (Slapper.B variant) [ Not found ]
Danny-Boy's Abuse Kit [ Not found ]
Devil RootKit [ Not found ]
Dica-Kit Rootkit [ Not found ]
Dreams Rootkit [ Not found ]
Duarawkz Rootkit [ Not found ]
Enye LKM [ Not found ]
Flea Linux Rootkit [ Not found ]
FreeBSD Rootkit [ Not found ]
****`it Rootkit [ Not found ]
GasKit Rootkit [ Not found ]
Heroin LKM [ Not found ]
HjC Kit [ Not found ]
ignoKit Rootkit [ Not found ]
ImperalsS-FBRK Rootkit [ Not found ]
Irix Rootkit [ Not found ]
Kitko Rootkit [ Not found ]
Knark Rootkit [ Not found ]
Li0n Worm [ Not found ]
Lockit / LJK2 Rootkit [ Not found ]
Mood-NT Rootkit [ Not found ]
MRK Rootkit [ Not found ]
Ni0 Rootkit [ Not found ]
Ohhara Rootkit [ Not found ]
Optic Kit (Tux) Worm [ Not found ]
Oz Rootkit [ Not found ]
Phalanx Rootkit [ Not found ]
Phalanx Rootkit (strings) [ Not found ]
Portacelo Rootkit [ Not found ]
R3dstorm Toolkit [ Not found ]
RH-Sharpe's Rootkit [ Not found ]
RSHA's Rootkit [ Not found ]
Scalper Worm [ Not found ]
Sebek LKM [ Not found ]
Shutdown Rootkit [ Not found ]
SHV4 Rootkit [ Not found ]
SHV5 Rootkit [ Not found ]
Sin Rootkit [ Not found ]
Slapper Worm [ Not found ]
Sneakin Rootkit [ Not found ]
Suckit Rootkit [ Not found ]
SunOS Rootkit [ Not found ]
SunOS / NSDAP Rootkit [ Not found ]
Superkit Rootkit [ Not found ]
TBD (Telnet BackDoor) [ Not found ]
TeLeKiT Rootkit [ Not found ]
T0rn Rootkit [ Not found ]
Trojanit Kit [ Not found ]
Tuxtendo Rootkit [ Not found ]
URK Rootkit [ Not found ]
VcKit Rootkit [ Not found ]
Volc Rootkit [ Not found ]
X-Org SunOS Rootkit [ Not found ]
zaRwT.KiT Rootkit [ Not found ]

Performing additional rootkit checks
Suckit Rookit additional checks [ OK ]
Checking for possible rootkit files and directories [ None found ]
Checking for possible rootkit strings [ None found ]

Performing malware checks
Checking running processes for suspicious files [ None found ]
Checking for login backdoors [ None found ]
Checking for suspicious directories [ None found ]
Checking for sniffer log files [ None found ]

Performing trojan specific checks
Checking for enabled inetd services [ OK ]

Performing Linux specific checks
Checking kernel module commands [ OK ]
Checking kernel module names [ OK ]

[Press <ENTER> to continue]

Checking the network...

Performing check for backdoor ports
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 60922 [ Not found ]

Performing checks on the network interfaces
Checking for promiscuous interfaces [ None found ]

[Press <ENTER> to continue]

Checking the local host...

Performing system boot checks
Checking for local host name [ Found ]
Checking for local startup files [ Found ]
Checking local startup files for malware [ None found ]
Checking system startup files for malware [ None found ]

Performing group and account checks
Checking for passwd file [ Found ]
Checking for root equivalent (UID 0) accounts [ None found ]
Checking for passwordless accounts [ None found ]
Checking for passwd file changes [ None found ]
Checking for group file changes [ None found ]
Checking root account shell history files [ OK ]

Performing system configuration file checks
Checking for SSH configuration file [ Not found ]
Checking for running syslog daemon [ Found ]
Checking for syslog configuration file [ Found ]
Checking if syslog remote logging is allowed [ Not allowed ]

Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ None found ]

[Press <ENTER> to continue]

Checking application versions...

Checking version of Exim MTA [ OK ]
Checking version of GnuPG [ OK ]
Checking version of OpenSSL [ OK ]

System checks summary
=====================

File properties checks...
Files checked: 127
Suspect files: 2

Rootkit checks...
Rootkits checked : 109
Possible rootkits: 0

Applications checks...
Applications checked: 3
Suspect applications: 0

The system checks took: 30 minutes and 0 seconds

All results have been written to the logfile (/var/log/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter.log)

mint@mint ~ $

1 Attachment(s)

As you can see, my job has been--and continues to be-- painfully difficult. [

See attached screenshot.

The screenshot is fairly small, so in case you cannot see it, it says I do not have any right to view the rkhunter.log]

!!!!!!!!!!!!!!!

Did you run the command as root?[code] sudo cat /var/log/rkhunter.log | less[code]

Nothing. Although I have not logged out, the file is gone..

I will do a full install of a distro. I am not getting anywhere with the so called Windows experts. And Windows has so many problems as it is, I think that between Windows and their inability to think out of the box, I was doomed to have a hijacked laptop until I dropped it off a bridge.

Hopefully I will find a little more creativity in problem solving at a Linux forum like this one.

Any suggestions on a distro? Happy to move on from Ubuntu/Mint...

First question regarding my terminal output below..... Why is it that my clock (on my GUI) is correct, yet the system time is different?

mint@mint ~ $ sudo cat /var/log/less rkhunter.org
cat: /var/log/less: No such file or directory
cat: rkhunter.org: No such file or directory
mint@mint ~ $ who
mint tty4 2009-05-19 19:27
mint tty5 2009-05-19 19:27
mint tty6 2009-05-19 19:27
mint tty3 2009-05-19 19:27
mint tty2 2009-05-19 19:27
mint tty1 2009-05-19 19:28
mint tty7 2009-05-19 19:28 (:0)
mint pts/0 2009-05-20 07:07 (:0.0)
mint@mint ~ $ man ps
mint@mint ~ $ ps -U root -u root u
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 3056 1884 ? Ss 00:26 0:01 /sbin/init
root 2 0.0 0.0 0 0 ? S< 00:26 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S< 00:26 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S< 00:26 0:01 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S< 00:26 0:00 [watchdog/0]
root 6 0.0 0.0 0 0 ? S< 00:26 0:00 [migration/1]
root 7 0.0 0.0 0 0 ? S< 00:26 0:01 [ksoftirqd/1]
root 8 0.0 0.0 0 0 ? S< 00:26 0:00 [watchdog/1]
root 9 0.0 0.0 0 0 ? S< 00:26 0:00 [events/0]
root 10 0.0 0.0 0 0 ? S< 00:26 0:01 [events/1]
root 11 0.0 0.0 0 0 ? S< 00:26 0:00 [khelper]
root 51 0.0 0.0 0 0 ? S< 00:26 0:00 [kintegrityd/0]
root 52 0.0 0.0 0 0 ? S< 00:26 0:00 [kintegrityd/1]
root 54 0.0 0.0 0 0 ? S< 00:26 0:00 [kblockd/0]
root 55 0.0 0.0 0 0 ? S< 00:26 0:00 [kblockd/1]
root 57 0.0 0.0 0 0 ? S< 00:26 0:00 [kacpid]
root 58 0.0 0.0 0 0 ? S< 00:26 0:00 [kacpi_notify]
root 159 0.0 0.0 0 0 ? S< 00:26 0:00 [cqueue]
root 163 0.0 0.0 0 0 ? S< 00:26 0:00 [kseriod]
root 208 0.0 0.0 0 0 ? S 00:26 0:00 [pdflush]
root 209 0.0 0.0 0 0 ? S 00:26 0:00 [pdflush]
root 210 0.0 0.0 0 0 ? S< 00:26 0:00 [kswapd0]
root 252 0.0 0.0 0 0 ? S< 00:26 0:00 [aio/0]
root 253 0.0 0.0 0 0 ? S< 00:26 0:00 [aio/1]
root 1248 0.0 0.0 0 0 ? S< 00:26 0:00 [ata/0]
root 1250 0.0 0.0 0 0 ? S< 00:26 0:00 [ata/1]
root 1252 0.0 0.0 0 0 ? S< 00:26 0:00 [ata_aux]
root 1256 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_0]
root 1257 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_1]
root 1258 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_2]
root 1259 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_3]
root 1261 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_4]
root 1263 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_5]
root 1281 0.0 0.0 0 0 ? S< 00:26 0:00 [ksuspend_usbd]
root 1282 0.0 0.0 0 0 ? S< 00:26 0:01 [khubd]
root 2064 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_6]
root 2065 0.0 0.0 0 0 ? S< 00:26 0:00 [scsi_eh_7]
root 2372 0.0 0.0 0 0 ? S< 00:26 0:01 [aufsd]
root 2373 0.0 0.0 0 0 ? S< 00:26 0:00 [aufsd]
root 2374 0.0 0.0 0 0 ? S< 00:26 0:00 [aufsd]
root 2375 0.0 0.0 0 0 ? S< 00:26 0:00 [aufsd]
root 2412 0.0 0.0 0 0 ? S< 00:26 0:02 [loop0]
root 4296 0.0 0.0 2496 1004 ? S<s 00:27 0:01 /sbin/udevd --daemon
root 5361 0.0 0.0 0 0 ? S< 00:27 0:00 [kmmcd]
root 5365 0.0 0.0 0 0 ? S< 00:27 0:00 [kpsmoused]
root 6511 0.0 0.0 2956 1408 tty4 Ss 00:27 0:00 /bin/login -f
root 6512 0.0 0.0 2956 1408 tty5 Ss 00:27 0:00 /bin/login -f
root 6521 0.0 0.0 2956 1404 tty2 Ss 00:27 0:00 /bin/login -f
root 6522 0.0 0.0 2956 1404 tty3 Ss 00:27 0:00 /bin/login -f
root 6525 0.0 0.0 2956 1404 tty6 Ss 00:27 0:00 /bin/login -f
root 6759 0.0 0.0 2304 1212 ? Ss 00:27 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socket
root 6827 0.0 0.0 0 0 ? S< 00:27 0:05 [kondemand/0]
root 6828 0.0 0.0 0 0 ? S< 00:27 0:06 [kondemand/1]
root 6958 0.0 0.0 1940 544 ? S 00:27 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
root 7078 0.0 0.0 6512 2676 ? Ss 00:27 0:00 /usr/sbin/cupsd
root 7143 0.0 0.0 7124 1584 ? Ss 00:27 0:00 /usr/sbin/nmbd -D
root 7145 0.0 0.0 12692 2768 ? Ss 00:27 0:00 /usr/sbin/smbd -D
root 7167 0.0 0.0 12692 1112 ? S 00:27 0:00 /usr/sbin/smbd -D
root 7175 0.0 0.0 17480 2604 ? Ssl 00:27 0:00 /usr/sbin/console-kit-daemon
root 7176 0.0 0.0 3364 1140 ? S 00:27 0:00 hald-runner
root 7258 0.0 0.0 3436 1056 ? S 00:27 0:01 hald-addon-input: Listening on /dev/input/event4 /dev/input/event7 /dev/input/event9 /dev/in
root 7274 0.0 0.0 3448 1040 ? S 00:27 0:00 /usr/lib/hal/hald-addon-cpufreq
root 7283 0.0 0.0 3440 1156 ? S 00:27 0:08 hald-addon-storage: polling /dev/scd0 (every 2 sec)
root 7327 0.0 0.0 3488 1544 ? Ss 00:27 0:00 /usr/sbin/bluetoothd
root 7334 0.0 0.0 0 0 ? S< 00:27 0:00 [btaddconn]
root 7336 0.0 0.0 0 0 ? S< 00:27 0:00 [btdelconn]
root 7350 0.0 0.0 0 0 ? S< 00:27 0:00 [krfcommd]
root 7389 0.0 0.0 14632 2588 ? Ssl 00:28 0:01 /usr/sbin/NetworkManager
root 7414 0.0 0.0 4240 1828 ? S 00:28 0:00 /sbin/wpa_supplicant -u -f /var/log/wpa_supplicant.log
root 7422 0.0 0.1 6776 2980 ? S 00:28 0:00 /usr/sbin/nm-system-settings --config /etc/NetworkManager/nm-system-settings.conf
root 7486 0.0 0.0 14240 1756 ? Ss 00:28 0:00 /usr/sbin/gdm
root 7489 0.0 0.1 14740 3188 ? S 00:28 0:00 /usr/sbin/gdm
root 7492 5.3 1.3 55180 39092 tty7 Rs+ 00:28 21:26 /usr/X11R6/bin/X :0 -br -audit 0 -auth /var/lib/gdm/:0.Xauth -nolisten tcp vt7
root 7511 0.0 0.0 4336 1148 ? Ss 00:28 0:00 /usr/bin/system-tools-backends
daemon 7529 0.0 0.0 2068 456 ? Ss 00:28 0:00 /usr/sbin/atd
root 7557 0.0 0.0 3412 1024 ? Ss 00:28 0:00 /usr/sbin/cron
root 7649 0.0 0.0 2956 1500 tty1 Ss 00:28 0:00 /bin/login -f
root 8566 0.0 0.0 2252 948 ? S 00:46 0:00 /sbin/dhclient -d -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /var/run/dhclient-et
root 30969 0.1 0.9 56004 27364 ? Ssl 04:49 0:12 python /usr/lib/linuxmint/mintUpdate/mintUpdate.py show 7965
mint@mint ~ $

Latest run of ps -Ae

I am not using any of the apps that are being used in the process list....tomboy, nautilus, mixer, etc.

mint@mint ~ $ ps -Ae
PID TTY TIME CMD
1 ? 00:00:01 init
2 ? 00:00:00 kthreadd
3 ? 00:00:00 migration/0
4 ? 00:00:01 ksoftirqd/0
5 ? 00:00:00 watchdog/0
6 ? 00:00:00 migration/1
7 ? 00:00:01 ksoftirqd/1
8 ? 00:00:00 watchdog/1
9 ? 00:00:00 events/0
10 ? 00:00:01 events/1
11 ? 00:00:00 khelper
51 ? 00:00:00 kintegrityd/0
52 ? 00:00:00 kintegrityd/1
54 ? 00:00:00 kblockd/0
55 ? 00:00:00 kblockd/1
57 ? 00:00:00 kacpid
58 ? 00:00:00 kacpi_notify
159 ? 00:00:00 cqueue
163 ? 00:00:00 kseriod
208 ? 00:00:00 pdflush
209 ? 00:00:00 pdflush
210 ? 00:00:00 kswapd0
252 ? 00:00:00 aio/0
253 ? 00:00:00 aio/1
1248 ? 00:00:00 ata/0
1250 ? 00:00:00 ata/1
1252 ? 00:00:00 ata_aux
1256 ? 00:00:00 scsi_eh_0
1257 ? 00:00:00 scsi_eh_1
1258 ? 00:00:00 scsi_eh_2
1259 ? 00:00:00 scsi_eh_3
1261 ? 00:00:00 scsi_eh_4
1263 ? 00:00:00 scsi_eh_5
1281 ? 00:00:00 ksuspend_usbd
1282 ? 00:00:01 khubd
2064 ? 00:00:00 scsi_eh_6
2065 ? 00:00:00 scsi_eh_7
2372 ? 00:00:01 aufsd
2373 ? 00:00:00 aufsd
2374 ? 00:00:00 aufsd
2375 ? 00:00:00 aufsd
2412 ? 00:00:02 loop0
4296 ? 00:00:01 udevd
5361 ? 00:00:00 kmmcd
5365 ? 00:00:00 kpsmoused
6511 tty4 00:00:00 login
6512 tty5 00:00:00 login
6521 tty2 00:00:00 login
6522 tty3 00:00:00 login
6525 tty6 00:00:00 login
6533 tty4 00:00:00 bash
6534 tty5 00:00:00 bash
6537 tty6 00:00:00 bash
6546 tty3 00:00:00 bash
6547 tty2 00:00:00 bash
6759 ? 00:00:00 acpid
6827 ? 00:00:05 kondemand/0
6828 ? 00:00:06 kondemand/1
6907 ? 00:00:00 syslogd
6958 ? 00:00:00 dd
6960 ? 00:00:00 klogd
6983 ? 00:00:02 dbus-daemon
7005 ? 00:00:00 avahi-daemon
7006 ? 00:00:00 avahi-daemon
7078 ? 00:00:00 cupsd
7143 ? 00:00:00 nmbd
7145 ? 00:00:00 smbd
7167 ? 00:00:00 smbd
7170 ? 00:00:02 hald
7175 ? 00:00:00 console-kit-dae
7176 ? 00:00:00 hald-runner
7258 ? 00:00:01 hald-addon-inpu
7274 ? 00:00:00 hald-addon-cpuf
7275 ? 00:00:00 hald-addon-acpi
7283 ? 00:00:08 hald-addon-stor
7327 ? 00:00:00 bluetoothd
7334 ? 00:00:00 btaddconn
7336 ? 00:00:00 btdelconn
7350 ? 00:00:00 krfcommd
7389 ? 00:00:01 NetworkManager
7414 ? 00:00:00 wpa_supplicant
7422 ? 00:00:00 nm-system-setti
7486 ? 00:00:00 gdm
7489 ? 00:00:00 gdm
7492 tty7 00:22:01 Xorg
7511 ? 00:00:00 system-tools-ba
7529 ? 00:00:00 atd
7557 ? 00:00:00 cron
7649 tty1 00:00:00 login
7658 tty1 00:00:00 bash
7716 ? 00:00:00 x-session-manag
7836 ? 00:00:00 ssh-agent
7839 ? 00:00:00 dbus-launch
7840 ? 00:00:01 dbus-daemon
7843 ? 00:00:02 pulseaudio
7846 ? 00:00:00 gconf-helper
7848 ? 00:00:05 gconfd-2
7854 ? 00:00:00 seahorse-agent
7858 ? 00:00:00 gnome-keyring-d
7861 ? 00:00:00 gnome-keyring-d
7862 ? 00:00:07 gnome-settings-
7864 ? 00:00:34 metacity
7894 ? 00:00:00 gvfsd
7910 ? 00:00:00 gvfs-fuse-daemo
7933 ? 00:00:33 gnome-panel
7936 ? 00:00:45 nautilus
7939 ? 00:00:00 bonobo-activati
7948 ? 00:00:00 gvfs-hal-volume
7950 ? 00:00:00 gvfs-gphoto2-vo
7952 ? 00:00:00 bluetooth-apple
7958 ? 00:00:17 gnome-do
7961 ? 00:00:00 gvfsd-burn
7968 ? 00:00:01 nm-applet
7971 ? 00:00:01 python
7973 ? 00:00:02 gnome-power-man
7985 ? 00:00:04 tomboy
7987 ? 00:00:00 mixer_applet2
7989 ? 00:00:22 mintMenu
7992 ? 00:00:00 gvfsd-trash
8050 ? 00:01:43 gnome-screensav
8119 ? 00:00:01 trackerd
8566 ? 00:00:00 dhclient
8573 ? 00:00:01 notification-da
8634 ? 00:40:49 firefox
9616 ? 00:00:00 exim4
15275 ? 00:00:03 gnome-terminal
15277 ? 00:00:00 gnome-pty-helpe
15278 pts/0 00:00:00 bash
15360 ? 00:00:10 npviewer.bin
15859 ? 00:00:00 gnome-terminal <defunct>
15862 pts/1 00:00:00 bash
15877 pts/1 00:00:00 ps
29804 ? 00:00:00 gvfsd-computer
30968 ? 00:00:00 gksudo
30969 ? 00:00:14 mintUpdate
31529 ? 00:00:16 evince