Desperately Seeking Help Linux/Windows knowledge -- Sanity at Stake
The above title is a little dramatic I realize, but it is nonetheless close to the truth. In fact, this is the second forum from which I have sought help (fyi, I am new here and this is my first post), however this is my first Linux forum and I hope that it will be more successful.
This is a very long story, but I will try to summarize as succinctly as possible.
First, I am not a "native" Linux user. I cut the Windows cord finally only 6 months ago. I am currently writing this post from a Mint Linux distro, but I had used Ubuntu as a dual boot until this security problem
However, while I am not terribly well-versed yet in Linux, I have been using (and very effortlessly so) computers for 20-25 years. I was a programmer for awhile in my teens. Started programming in BASIC in junior high (and started to learn assembly), then COBOL during high school because of a job I had, then VB during college. HTML/CSS came next, then Python, and currently trying to get through the initial pangs of the glyph like feel of Perl -- however, I am especially excited to get my hands dirty with it given its significance in Unix/Linux.
I am making a career transition at the moment from attorney to "not quite sure yet" in the IT area. So, overall my Linux skills are about a 2/10 (but part of my stagnant growth is due the problem I am having--the reason for this post). OK, that is a little background on me. Thank you for reading. Now to my problem.
About 5 months ago, I was learning various wireless protocols and was using some tools to learn tcp and udp packet structure, etc... Somehow and at some point along the way my only pc a laptop -- which as an fyi, was a dual boot machine with Ubuntu Intrepid and Windows 7-- had a security breach. I thought then that it might just be a virus/trojan/worm or something I had to hunt down and eradicate. However, it turns out that it could very well be something worse -- a total hijacking, which I cannot seem to get rid of....to this day.
After a month of trying to get my laptop to a normal functioning state, I decided to seek out help on the web. Since I was using a beta Windows version and suspected a possible security flaw, I first went to sevenforums.com to discuss my problem. While everyone there is helpful and very knowledgeable in Windows, no one has yet to offer me any solutions which I have not already tried.
My theory as to what is taking place -- based on 4 months of trying to work on this -- is that the intruder is using something rather novel (I will explain this below) to gain initial penetration (incidentally, this intruder/hijacker is not particularly malicious or destructive, but rather only seems to automate much of his presence until he needs to actively do something in his defense. He really only restricts my using Windows when it interferes with whatever he is using my laptop for -- and this is still unclear to me. On the windows forum, I have posted countless screenshots and other data showing very strange and unusual states in Windows, but the group at large seems to think I have not taken the right steps to clean my machine.
My theory, and it seems no one believes me (or at least no one who has any real knowledge in IT/computers), is that for initial access, this intruder uses bluetooth from an AP to my laptop assisted by a trojan that --because he will actively get involved as needed-- is infinitely mutatable and relocatable. From that point he establishes a typical TCP/UDP connection (as much connection as UDP will allow anyway), and in Windows, I am then on a doman/Active Directory, and even my Administrator privileges cannot go beyond his Server-level admin privileges.
As strange as that may seem to anyone who is reading this, he is not only in Windows, but Linux as well. I first became aware of this when I would use my Backtrack USB or CD. After the infection, I never had root privileges in any linux distro I had--whether I was using a LIVE CD or a full installation. And given the nature of Backtrack, he will severely restrict my use of either Backtrack 3 or 4, as I would guess the tools contained on those CDs might expose him. But my first clue was that I was no longer (and never since) had root privileges in any Distro I have used. Sometimes I would have the name "root", but the PID of 1000. Or he would get into the boot process or LIVE installation before me with privileges and lock things or set things up so I could not use them as expected (yet I was then root with the apparent PID of 0, but somehow he had made it impossible for me to fix what he change (I now have a solid and pretty secure ethernet connection, but back when I relied on wireless, this whole mess rendered my laptop almost useless. He has also made devices and commands in Linux disappear --and this is where my inadequate Linux skills show because I do not know what to do to retrieve them.
In windows, I end up trying to take back control of my laptop by terminating processes or services which I have learned he needs, which then results in a battle for the control of my pc, which sooner or later crashes due to the fact that whatever I have done (presumably) has damaged the system or he chooses to prevent me from booting into windows because the system can no longer function correctly to support is full functionality.
Being used to my dual-boot setup, originally I had to reinstall both OS's countless times. Finally, since I knew that his means of access and existence were based on Windows code, I stopped doing full installs of Ubuntu, and have since then been using a Mint Linux (Deb/Ubuntu based) LIVE CD for Linux (which is more frequent than before since Windows use always end up with a drive-wipe and a reinstallation) and just reinstalled Windows 7 or Vista (if I had to ensure that the installatino of an OS was 100% clean). The one thing I do know about Linux is that it is far more simpler -- with the proper skill level-- to isolate and track someone like this than it is in windows. However, he is extrememely intelligent in both OSs, and as said has higher privileges than me in both as well. I basically have a roommate I do not want, and try as I might, I cannot exorcise him from this laptop. Before I go further, look at the attached screenshot of a terminal window where I executed "ps a". I think to anyone who is familiar with Linux and X-windows, you can see that something sticks out like the proverbial sore thumb. See attached.
I know this is unbelieveable, but last weekend, I went so far as to swap out the old 250GB Toshiba HD for a brand new WD 320GB drive, then installing Windows Vista from factory CDs. Either the trojan he used was still somehow in memory, or bluetooth or another protocol I am not familiar with (nor are the Windows people) is still allowing him access in some very arcane way
While I am in this LIVE CD right now, I had planned on going to run ps -i and ps -ef to show you why I think he can change his privileges before I login....but I am now unable to use the command "ps". :x
I know this is very hard to believe, but if you take my word that the screenshot is authentic (and I would love to know what else you can derive from that output), then if you are aggressive and can instruct me what to do, I and my sanity, would be eternally grateful.
In any case, please tell me what you think.
Thank you very much, and I apologize that my first post could not be one of contribution instead of asking for assistance,,,