Re: Hacker has changed code; need original to compare.

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 11/27/03 

Date: Thu, 27 Nov 2003 10:55:42 -0000

<anonymous@discussions.microsoft.com> wrote in message
news:068501c3b476$0acb44a0$a101280a@phx.gbl...
>
> Mike,
>
> Thank you for your kind help.
>
> I know where the code is located, but it is on "Cab
> Files" and I don't know how to access and read them.
> Also, at this point I am not interested in changing my
> machine back to the original as I just did that last
> month and the Bum hit me again. In fact, last month he
> gave me 6 wormmc I haven't even finished downloading all
> of my files, and am working off of CD's for the most part.
>
> This time, I need the comparison code for the FBI so I
> can show them the before and the after. The code is the
> proof I need for them to make a case. That code change
> was my first thought. But, if I can use the programs
> recommended by Doug, then I will also have proof, and the
> FBI can move in and they can compare the code. I am going
> to follow Doug's recommendations and see where that can
> help me.

If the file you require is in a CAB file - you can just click on it in
Windows Explorer - see the file and drag it out to a new folder - it will
automatically be pulled out.
If the file has an extension like xxxxxx.ex_ then you need to decompress it
.
Use the Expand command from a command prompt. e.g.
Expand c:\temp\xxxxxx.ex_ c:\temp\xxxxxx.exe
This will expand the compress file back to an exe. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
<anonymous@discussions.microsoft.com> wrote in message
news:068501c3b476$0acb44a0$a101280a@phx.gbl...
>
> Mike,
>
> Thank you for your kind help.
>
> I know where the code is located, but it is on "Cab
> Files" and I don't know how to access and read them.
> Also, at this point I am not interested in changing my
> machine back to the original as I just did that last
> month and the Bum hit me again.  In fact, last month he
> gave me 6 wormmc I haven't even finished downloading all
> of my files, and am working off of CD's for the most part.
>
> This time, I need the comparison code for the FBI so I
> can show them the before and the after. The code is the
> proof I need for them to make a case.  That code change
> was my first thought.  But, if I can use the programs
> recommended by Doug, then I will also have proof, and the
> FBI can move in and they can compare the code. I am going
> to follow Doug's recommendations and see where that can
> help me.
>
> >-----Original Message-----
> >(top posted due to length of original mail)
> >
> >Renie,
> >
> >The originals of any Windows XP components are on your
> original Windows XP
> >CD ROM.
> >If the person has made code changes you could perform a
> repair install to
> >restore all the system files to as shipped.
> >If they have only made configuration changes this will
> not be fixed by a
> >repair install.  If you are unable to remove their
> changes then backup you
> >application data and rebuild your PC. Take the
> appropriate measures to
> >secure your PC before you reconnect to the Internet.
> >-- 
> >Regards,
> >
> >Mike
> >--
> >Mike Brannigan [Microsoft]
> >
> >This posting is provided "AS IS" with no warranties, and
> confers no
> >rights
> >
> >Please note I cannot respond to e-mailed questions,
> please use these
> >newsgroups
> >
> >"Renie" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:104a01c3b43c$2e10b470$a501280a@phx.gbl...
> >> I have an unusual problem.   I am using Windows XP
> >> Professional and IE6.
> >>
> >> I have a hacker who constantly bothers me.  About a
> week
> >> ago, they changed my Internet access code so that when
> I
> >> log onto Windows, it immediately dials my ISP to
> connect
> >> to the internet.
> >>
> >> If I click to cancel, it immediately redialmc It seems
> >> that they also have it set to dial an unlimited number
> of
> >> times in rapid succession. (Like a repeater.)
> >>
> >> The only way I can limit them from dialing up the net,
> is
> >> to set my privacy controls to a "protected password"
> >> statumc  But, this doesn't stop the dialer.
> >>
> >> It will continue to dial and just give an error
> message,
> >> reset and redial.
> >>
> >> I then don't bother to cancel, so I have the 2 boxes
> then
> >> displayed on my desktop.  The one that says it
> >> is "Connecting" and the one that give the "Error"
> message.
> >>
> >> This will remain in place, as long as I am working on
> my
> >> desktop.
> >>
> >> To access the net, I have to go into my connection
> >> settings, change my privacy settings back to "unsecured
> >> password"; and click cancel on their dialer box, and
> try
> >> to quickly beat them connecting to the internet so I
> get
> >> on and they don't.  Which is what I have done to get
> here.
> >>
> >> I have purchased bCentral Web Hosting and additional
> >> products which I cannot use now, as I am afraid to let
> >> this individual know about them.  So, he is not just
> >> causing a waste of time, but a waste of money, also.
> >>
> >> This person is a real hazzard to the internet.  I have
> >> traced the activities of this person, found his
> location,
> >> and have their identity.
> >>
> >> In my tracing activity, I have found that he also
> changes
> >> my ISP number from one day to the next, depending upon
> >> what he is using my computer as a portal to obtain from
> >> the net.
> >>
> >> In my state, I can prosecute them.  But, I need a copy
> of
> >> the original code that dials up IE6, and compare it to
> >> the code that has been changed as my proof.
> >>
> >> I believe that this may be in the INF files, as I have
> >> done a search and have seen where certain files were
> >> changed during the past 2 weekmc I also searched for a
> >> separate .EXE program file but found none.
> >>
> >> Can anyone tell me
> >>
> >> 1.  If I should look for a specific Program name?
> >>
> >> 2.  How I can obtain the original code pages for the
> >> comparison?  It would be greatly appreciated.
> >>
> >> 3.  Or, if this is an activity that is being totally
> run
> >> on the outside?
> >>
> >> Any help dealing with this sick individual will be
> >> GREATLY APPRECIATED.
> >
> >
> >.
> >