We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Passive/Active problem. Help requested. XP Pro connected via NITIX

jrs_50 asked
Medium Priority
Last Modified: 2011-10-03
In advance - I apologize for a) the length of the post and b) the fact that I will have only sporadic and minimal opportunity to follow-up on this post. I will, however, do what I can to facilitate any resolution and everyone's assistance IS appreciated.

Short version - I'm dealing with both a passive spy and an active hack. As you know windows does a lot in the background and it is difficult at best to separate the 'file'access of those actions from something more malicious. At the end of this is a partial list of \windows\system32 accesses as an example. Note that the accesses were while in 'Safe Mode' (which isn't!) and AFTER/WHILE I was viewing some gathered info using Notepad (where I've started the list). Note, for example, the tourstart.exe, spider.exe and so forth. Not me.  Not ANYTHING that I was doing. The date/times are 'access'. The info is just to provide an 'example' in case someone might be able to view it and say 'oh yeah I know whats going on' and also to provide an 'example'.

Please don't respond with the 'standard' about run this scan or that. This is NOT a new 'problem'. I've been analyzing for several months and have run quite a few scans using various products both mainstream and other for spyware, trojans, rootkits, hijack, and so forth. The bottom line is, essentially, that my own legitimate 'system' is being used against me and none of the scans have found anything significant.  I am also aware that I will need to wipe and fully reinstall.  Before that, however, I'd like to acquire some better sense of how/what is/was done in order to prevent (as was the case following the previous wipe/reinstall) re-infection. :-(

The platform is Dell Inspiron 4150 TrueMobile, up-to-date (supposedly) XP Pro SP2, and quite a bit of development software, Visual Studio, Macromedia Studio, SQL 2k desktop, Mysql, Apache, etc, etc.  I PULLED the dell mini-pci after determining that 'disabling' the wireless connection was not sufficient and that it was being used. It's a workstation connected to a ('bare' at this point) NITIX server which provides the DSL internet connection. I generally,now, have the XP plug to the server disconnected unless I need it. I use Norton, (supposedly) current, for FW/AV.

I have 2 SPECIFIC multi-point questions at this point of things:

1) In safemode, ethernet disconnected, mini-pci removed, no modem cable (It's a Conexant internal), telephony etc disabled, HOW could it possibly be a 'live' connection?  There have been (although not this specific instance) indications of that.  If NOT 'live' then what is the best tool/approach for for isolating the 'process' that is doing the accessing?  Someone/Something quite obviously IS.

2) My CD-RW has been turned into a CD-ROM (because I've been using it to offload some of the 'clues' I have discovered for subsequent analysis). Can't use my external USB CD-RW either.  In fact; at THIS point any access to CD yields "D:\ is not accessible...illegal function". I can copy stuff to my server (when connected) BUT as the recent loss of a critical file indicated; the info is not safe there. Any ideas as to how to 'quickly' reenable CD burn capability???  Note that neither repair install, uninstall of drivers/device and reinstall of device, nor loading the burn software associated with my external drive (currently uninstalled) resolves the problem.

ANY help/clues appreciated. I hope I can 'paste' this because I'm vulnerable whenever I connect to the net. THANKS in advance.


 Volume in drive C has no label.

 Directory of c:\windows\system32

11/03/2006  02:33 PM            69,120 notepad.exe
11/03/2006  02:36 PM           159,744 scrobj.dll
11/03/2006  02:38 PM            25,065 wmpscheme.xml
11/03/2006  02:38 PM            20,992 wrlzma.dll
11/03/2006  02:38 PM           258,048 wmvds32.ax
11/03/2006  02:38 PM                75 View Channels.scf
11/03/2006  02:38 PM           187,904 main.cpl
11/03/2006  02:39 PM           438,272 shimgvw.dll
11/03/2006  02:39 PM             2,897 mpm.xml
11/03/2006  02:39 PM            86,016 mdmxsdk.dll
11/03/2006  02:39 PM            73,376 mciavi.drv
11/03/2006  02:39 PM            72,704 magnify.exe
11/03/2006  02:39 PM           742,400 ltann11N.dll
11/03/2006  02:39 PM           110,592 ltfil11n.DLL
11/03/2006  02:39 PM            13,312 lsass.exe
11/03/2006  02:39 PM           514,560 logonui.exe
11/03/2006  02:40 PM           607,232 ltocx11n.ocx
11/03/2006  02:40 PM            61,440 MFC71ITA.DLL
11/03/2006  02:41 PM             8,192 staxmem.dll
11/03/2006  02:42 PM           239,104 srrstr.dll
11/03/2006  02:42 PM           737,280 spr32d30.dll
11/03/2006  02:42 PM            31,232 sc.exe
11/03/2006  02:42 PM           397,824 regwizc.dll
11/03/2006  02:42 PM           143,360 rasmontr.dll
11/03/2006  02:42 PM           181,248 rasmans.dll
11/03/2006  02:42 PM           657,920 rasdlg.dll
11/03/2006  02:43 PM            35,840 rcimlby.exe
11/03/2006  02:43 PM            13,824 rdsaddin.exe
11/03/2006  02:43 PM            92,168 rdpdd.dll
11/03/2006  02:44 PM            16,896 winrnr.dll
11/03/2006  02:44 PM         1,309,184 wbdbase.deu
11/03/2006  02:44 PM           163,980 VPCNetS2.dll
11/03/2006  02:44 PM           123,392 umpnpmgr.dll
11/03/2006  02:44 PM           200,704 THREED32.OCX
11/03/2006  02:44 PM           610,304 sspipes.scr
11/03/2006  02:44 PM            17,920 nddeapi.dll
11/03/2006  02:46 PM            53,760 narrator.exe
11/03/2006  02:46 PM           506,368 msxml.dll
11/03/2006  02:46 PM            54,784 msvci70.dll
11/03/2006  02:47 PM             7,168 msr2cenu.dll
11/03/2006  02:47 PM            20,992 msg.exe
11/03/2006  02:47 PM            33,792 msgsvc.dll
11/03/2006  02:48 PM            51,712 wzcsapi.dll
11/03/2006  02:48 PM             6,144 svcpack.dll
11/03/2006  02:49 PM            59,392 streamhlp.dll
11/03/2006  02:49 PM            58,880 resutils.dll
11/03/2006  02:51 PM            50,688 mmcshext.dll
11/03/2006  02:51 PM            41,472 hhsetup.dll
11/03/2006  02:51 PM           413,696 msvcp60.dll
11/03/2006  02:51 PM            60,416 colbact.dll
11/03/2006  02:52 PM             4,096 mtxex.dll
11/03/2006  02:52 PM            66,560 mtxclu.dll
11/03/2006  02:53 PM    <DIR>          CatRoot
11/03/2006  02:53 PM    <DIR>          CatRoot2
11/03/2006  02:53 PM    <DIR>          Com
11/03/2006  02:53 PM    <DIR>          config
11/03/2006  02:53 PM    <DIR>          Dell
11/03/2006  02:53 PM    <DIR>          DirectX
11/03/2006  02:53 PM    <DIR>          dhcp
11/03/2006  02:53 PM    <DIR>          dllcache
11/03/2006  02:53 PM    <DIR>          drivers
11/03/2006  02:53 PM    <DIR>          export
11/03/2006  02:53 PM    <DIR>          ias
11/03/2006  02:53 PM    <DIR>          icsxml
11/03/2006  02:53 PM            53,760 cryptext.dll
11/03/2006  02:54 PM            90,624 trkwks.dll
11/03/2006  02:54 PM            12,288 tracert.exe
11/03/2006  02:54 PM                51 pscript.sep
11/03/2006  02:54 PM            96,768 psbase.dll
11/03/2006  02:56 PM           140,288 sfc_os.dll
11/03/2006  02:56 PM            18,432 secedit.exe
11/03/2006  02:56 PM           144,896 schannel.dll
11/03/2006  03:23 PM    <DIR>          inetsrv
11/03/2006  03:23 PM    <DIR>          IME
11/03/2006  03:23 PM    <DIR>          Logfiles
11/03/2006  03:23 PM    <DIR>          ..
11/03/2006  03:23 PM    <DIR>          .
11/03/2006  03:23 PM            39,936 rshx32.dll
11/03/2006  03:23 PM            56,832 authz.dll
11/03/2006  03:23 PM           114,688 aclui.dll
11/03/2006  03:23 PM            46,080 docprop.dll
11/03/2006  03:23 PM            48,128 docprop2.dll
11/03/2006  03:23 PM            44,032 twext.dll
11/03/2006  03:25 PM         1,179,648 d3d8.dll
11/03/2006  03:28 PM                 2 desktop.ini
11/03/2006  03:28 PM            68,096 shgina.dll
11/03/2006  03:28 PM         2,370,296 wmvcore.dll
11/03/2006  03:28 PM           224,768 wmasf.dll
11/03/2006  03:28 PM           480,768 Audiodev.dll
11/03/2006  03:28 PM           291,840 winsrv.dll
11/03/2006  03:28 PM           397,824 rpcss.dll
11/03/2006  03:28 PM           640,000 dbghelp.dll
11/03/2006  03:28 PM           498,688 clbcatq.dll
11/03/2006  03:28 PM           792,064 comres.dll
11/03/2006  03:28 PM           658,944 wininet.dll
11/03/2006  03:28 PM           431,616 riched20.dll
11/03/2006  03:28 PM           617,472 comctl32.dll
11/03/2006  03:28 PM            28,672 verclsid.exe
11/03/2006  03:28 PM         8,453,632 shell32.dll
11/03/2006  03:37 PM           110,080 imm32.dll
11/03/2006  03:37 PM            20,634 debug.exe
11/03/2006  03:37 PM           347,136 tourstart.exe
11/03/2006  03:37 PM           538,624 spider.exe
11/03/2006  03:37 PM           407,552 mstsc.exe
11/03/2006  03:37 PM           126,976 mshearts.exe
11/03/2006  03:37 PM           146,432 winspool.drv
11/03/2006  03:37 PM           275,456 ulib.dll
Watch Question

Firstly the accesses look possibly like a boot time virus scan

When you say "live connection" what do you mean ?  You categorically cannot have a live connection if you have disabled you external devices. To isolate the process, either use built in task manager with i/o read and i/o write columns switched on (in view, select columns) monitoring this should give you a good idea of what is racking up disk activity.  Alternatively Process Explorer will show exactly what file is open by what process, it can be downloaded from http://www.sysinternals.com/Utilities/ProcessExplorer.html

Lastly to convert a device detected as CD-ROM back to a CD-RW.  In My Computer, right click the non functional device, and choose properties, then open the recording tab, and choose "Enable CD Recording on this Drive"


Agree...SOME type of scan/use.  However; not boot time and not a virus scan.  I'm quite familiar with TM and ProcessExplorer, filemon, and so forth but have been unable to isolate beyond some relationship to svchost -netsvcs, ctfmon, ntdll, explorer, msmsgs, rstrui, print spooler, machine debug manager/vs7debug, homesite/frontpage/coldfusion/Jasc paintshop, and a few others.  It varies a bit depending upon what I've enabled/disabled.  Basically; SOMETHING IS scanning/mining for applicable components for the purpose of rebuilding/repairing itself.  It's that SOMETHING I'm attempting to isolate.  I'm also attempting to isolate the SOMEONE who has a backdoor into my system and that backdoor.

Regarding 'live connection'.  I agree that it seems quite unreasonable for the 'backdoor' to be in use when there is, so far as I am aware, no communication channel available (no ethernet or modem cable, mini-pci/wireless board pulled).  Yet; there have been indications of that occuring.  I'm basically asking if there is some channel, for example wireless even though I've pulled the mini-pci, that I'm overlooking somehow.  As for disabling wireless, alone, providing protection; that's a fallacy (think "Tempest"-like process).

There is no 'recording' tab because the system thinks its a DVD/CD-ROM device.  Although as I indicated, at this point, its not usable at all.  See previous post.

Thanks for the feedback/response.  It is appreciated.  I'm still looking for answers.

Ok, you mention rstrui, can you try disabling system restore, is it possible it is attempted to create a restore point.  

Why dont you run a netstat and post the result, that will show everything that is listening or has connections open.

TEMPEST is technology that reads your monitor by analysing it's em radiation, unless you suspect you are the subject of an NSA, CIA investigation I would generally assume that you are safe.

If a device is disabled in windows...it is disabled, it is not allocated resources and therefore will NOT function.

Can you try another CD-RW device.


Disabled sys restore via system (its not doing me any good anyway as part of the 'problem' is that if I attempt a restore I lose admin access via the admin account) . It made no difference anyway and I've had to deal with 'restores' going on out of my control even with system restore disabled.  I believe rstrui is being used for other than the basic "system restore".  It has, since, been turned back on (not sure when/how).  Similarly; indications of backup/restore.

The netstat no longer reports any activity although I know it is occurring (other tools if I get lucky.  Interestingly; within past few weeks if I attempt to netdiag (while noting net activity in progress) the activity stops as soon as I TYPE the command and resumes after it completes.  The 'passive' portion of the problem is somehow tied to msmsg, intuit printer, one of more graphics handlers, encryption, and conf.

I think you will find that you can find Tempest related tools if you search the net.  Either way, there are symptoms or at least circumstantial indications.  As regards investigation.  Not that I'm aware of.   The 'evidence' I've gathered with respect to my problem will be submitted to the feds anyway.  I'm just doing a bit more on my own first.

If a device is disabled in windows...   Yes, supposedly.  Also safemode with no networking should have no networking.  I have indications to the contrary.

As I posted earlier my external (usb) CD-RW manifests the same problems.

Anyway, thanks again.  Must disconnect.  Will try to check back again in case anyone has any ideas I might have overlooked.
Ok, first things first.
If we're dealing with a rootkited machine, there is absolutely NOTHING you can do with THAT very machine. It's the second rule of computer forensic. Let's suppose a very smart and motivated attacker just coded a little piece of code to allocate hardware resources even when you disable them, enable wireless even when you disable it (via software, obv) and so on. There would be absolutely no way to tell using that very system, that's something you learn doing linux rootkits. Yes, you could check syscalls addresses and such, but that would not be of any use.
 First question: are you REALLY sure something is happening due to an attack? Can you test a similar system? Can you clone the system (Ghost 4 Linux) and reproduce this on another machine?
The idea: clone the machine (G4L will do) run it into VmWare (without any network connection) and test it. Even a rootkited machine will be helpless if you run it into a Virtual environment, so you can monitor and see what happens.
 Second question: can you check the size of some core system files and see if there's something strange? (Note you'll have to do it from a Live cd or such, not from XP since it could just lie about filesizes).
 Third: Check for Alternative Data Streams.


Your points are valid, and known, and considered.

Yes; I'm CERTAIN I am (have been) dealing with an attack.  Both Symantec and MS recommend notifying the feds and complete reinstall.

No; I can't clone (etc) at this point.  I am looking forward to that when I can but not sure when that might be right now.

I'm aware of the 'difficulty' of analyzing on the system that has been "hijacked".  You are both correct, and incorrect, regarding the "absolutely no way".  I can't go into any details due to the limited time for internet access.  There are conf.exe accesses going on as I type.  Hopefully (minimal) they are not succeeding but I've been unable to determine that.  As for their possibly sucessfully sending the keyboard input, screen images, and voice input, gathered while offline I can't be certain.

The size of core system files isn't helping.  I'm 80% certain explorer (among others) is compromised but can't confirm.  I also have 'indications' of core-resident modification but haven't had an opportunity to explore that fully; yet.  Should not be able to access JIT debug from the net, but...

Yes; there have been (are?) alternative data streams.  I've been working on that as well.

I left the system on yesterday after a reboot and did nothing until this AM.  I'm working on trying to determine whether the accesses to the print spooler, and etc, an hour or so before logging in could have, somehow, been "legitimate" and also trying to determine why the firewall wanted access to the internet for spooler.exe to yesterday morning.  I thought I'd taken care of that and haven't seen it for more than 2 weeks.

Again; your points are valid and I appreciate the feedback.  It's tough trying to deal with this without having anyone for a sounding board.  I'm not inexperienced regarding computers/software but I'm also intelligent enough to know that I don't know everything.  Feedback from EE may help stimulate the brain cells.  Wouldn't be the first time I missed something 'simple' because it failed to come to mind.

:) I hope my comment helped then.
May I ask why you can't clone? I would do that as the first thing.
Can you monitor the network traffic from a "Man in the middle" machine with wireshark or some sniffer? That  would help, provided the attacker is not encrypting the traffic (very likely).

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Well...  Your comments didn't hurt anything.  It is a tough nut to deal with.

Don't have the facilities to clone at the moment or the $.  

You are correct regarding encryption.

Will be replacing the drive and saving it for later analysis along with the other drive and several ASR backups.

Oh well...

Thanks for the sanity check.
Thank you  for the accepted ans, anyway you could go for a clone using G4l (freeware) and a dvd (cheap) :D
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.