Recognize the footprint?

Posted on 2006-11-28
Last Modified: 2010-05-18

11/28/2006  01:29 PM            61,440 icwres.dll
11/28/2006  01:29 PM           319,542 wmmres.dll
11/28/2006  01:29 PM         1,032,192 conf.exe
11/28/2006  01:29 PM           188,416 nmwb.dll
11/28/2006  01:29 PM           192,512 unregmp2.exe
11/28/2006  01:29 PM           376,320 msinfo.dll

11/28/2006  01:29 PM           183,808 accwiz.exe
11/28/2006  01:29 PM           337,920 zipfldr.dll
11/28/2006  01:29 PM         1,200,128 ntbackup.exe
11/28/2006  01:29 PM            53,760 cryptext.dll
11/28/2006  01:29 PM            45,568 mshta.exe
11/28/2006  01:29 PM           102,400 rcbdyctl.dll
11/28/2006  01:29 PM           159,744 scrobj.dll
11/28/2006  01:29 PM            27,648 shscrap.dll
11/28/2006  01:29 PM            39,936 rshx32.dll
11/28/2006  01:29 PM           114,688 aclui.dll
11/28/2006  01:29 PM            46,080 docprop.dll
11/28/2006  01:29 PM            48,128 docprop2.dll
11/28/2006  01:29 PM            44,032 twext.dll

11/28/2006  01:30 PM           422,514 SNDFW.log
11/28/2006  01:30 PM           151,552 shmedia.dll
11/28/2006  01:30 PM            84,992 avifil32.dll
11/28/2006  01:30 PM            33,280 inetmib1.dll
11/28/2006  01:30 PM            18,944 snmpapi.dll

The above were the processes, I think, related to the network activity occurring at the same time (access times) for which no firewall record could be found (2 fw's).   Also note that the netstat performed while the network activity WAS occurring did not reflect any connections.  I believe it relates to a hack I'm dealing with.   I don't want to get into the details of that here.  I'd just like to know

a) if anyone recognizes how it might fit with variation of a known hack/virus/malware footprint.

b) if anyone sees anything wrong with any file sizes.  I can't easily compare/research.

Note that I'm particularly interested in the 1:29 from the program files\...\conf.exe/nmwb etcetera and the second sys32 group.  Also note that the docprop might have been mine.  The sys32 stuff would be in access sequence.

Question by:jrs_50
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 5
  • 4
  • +4

Author Comment

ID: 18031446
Perhaps I should have noted that the list includes the ONLY files (supposedly) accessed during the relevant time period.

Expert Comment

ID: 18033417
Concentrate on the executables. The files ending in .exe. The Dll's most likely have to be loaded from another process. Some of the processes are recognizable but some I am not sure about. Right click on unregmp2.exe and see who makes that file.

Is this a server? It has net meeting and movie maker running on it?

You are running a backup and it looks like a vbscript was probably running (scrobj.dll)

What does the FW log look like before and after?

Perform a search of your computer looking for files created during that time to give you clues to what activity was happening.

Any events in the event log?
LVL 57

Expert Comment

ID: 18033950
netstat will not show any UDP traffic, only UDP ports that you are listening on.

Do you have any software that could be quering this box using SNMP?  

How much network traffic in what time period are we talking about here?  Was the backup backing up local files to local drive or remote files.
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 38

Expert Comment

by:Rich Rumble
ID: 18034324
While a rootkit won't hide from a hardware firewall, it might a software or personal firewall such as M$'s own or something like ZoneAlarm, you may consider alternate monitoring methods such as Ntop or Cacti to get data from switch ports and interfaces directly.

Author Comment

ID: 18036862
Thanks for the input.  To address a few of the issues raised:

There should not have been any netmeeting session or movie maker activity.  No backup either (which I think is tied to zipfldr) unless that is somehow related to sysrestore doing something in the background that I'm not aware of (I'm no expert on everything XP does in the background).  Same scenario regarding vbscript running.

Aware UDP no reflected in netstat. I should have been clearer = no TCP (although I've caught TCP in FW where netstat doesn't reflect it.  Different instance/scenario).  As for the FWs, NIS shows nothing for time frame(no surprise there).  MS reflects UDP close 13:28:52 and next entry 13:31:52.  Nothing to explain the activity during the period in question.

Regarding SNMP - I'm researching that a bit further. So far as I'm aware it's disabled.  So is netmeeting, supposedly, but I've been dealing with 'outside control' issues for some time and can't fully rely upon any setting.  Example: I 'lucked out' and caught an instance of my disabled 'remote registry' having been enabled.

My various analysis tools are unavailable to me at the moment as I was in the process of attempting to reinstall when the indications of ...ware/virus reappeared.   Locating them all, on CDs or redownloading, and reinstalling will be tedious since my ASR backups were corrupted/useless.

In any event, thanks for the input.  It corroborates some of my thoughts.  I'll check back later to see if my feedback might stimulate someone's thoughts.

LVL 38

Expert Comment

by:Rich Rumble
ID: 18037041
Ntop actually sniffs network traffic and creates nice stats to look at and digest. Cacti, MRTG or other snmp type monitoring software, I feel, be pulling data from the switch or other network equipment as to rule out tampering via root-kit. With Ntop is best to span a switch port (aka port mirror), typically the gateway port of your router so you can listen to all LAN traffic, or you can span a single port to an Ntop server. OpenXttra has a win32 port of Ntop that is free.
LVL 57

Expert Comment

ID: 18038770
--> ntbackup.exe     File Backup/Restore program (may be using as part of the system automatic backup).

--> conf.exe           NetMeeting Client

--> snmpapi.dll      Used to receive SNMP traps sent by other network devices

--> avifil32.dll        DLL used to view AVI (Video files)

These were actual  processes running?

I would suggest you install something like Wireshark ( and caputer all network traffic to/from this computer and then you can see what is going on from a network point of view.

Author Comment

ID: 18041807
giltjr - with respect, I know what the processes are.  Actually running?  That's part of the overall issue.  They were definitely 'accessed' at the time indicated.  My presumption is either running or, I think more likely, being used as DLL's for something they provide in conjunction with the other dlls.   Matter of fact I found the same sequence just before coming here.  Nothing I was doing would (so far as I'm aware) account for it.  At the time my suspicions became aroused I was viewing something in notepad.  

Thanks for the links/product info.  I might give it a try.  The problem is that, so far as I can tell, whatever 'THIS' is seems to hide itself, or workaround, anything I do to 'capture' it.  I don't want to get into detail but I tried something similar today.  End result; I didn't see the 'normal signs' during the session.  I did see 'other signs' such as, for example, access to rstrui and a high level of I/O.  While analyzing some of the stuff from that session the 'normal signs' gradually reoccured, culminating in what appears to be the same 'access' to things as originally posted.

That is why, basically, I was hoping someone might recognize a 'footprint' of a known ...ware/virus in the info posted that would provide some additional clues as to what to watch/check for.  For example; I have strong suspicions that a variant of mydoom may have been (be) used as the seed of the overall problem

The SNMP thought makes sense to some degree and ties with the concept, other direction, of a call for Remote Assistance being made from my end (rcbdyctl).  The problem is that NEITHER of those "should be able" to happen.  My suspicion is that both come into play as though, for example, no vulnerability in Remote Assist and no vulnerability in SNMP but a vulnerability when some aspect of both is combined (along with possibly the other stuff listed, like movie maker).

Overall; I've been working on this 'problem' whose nature changes like a chameleon, for months (much to personal and financial detriment) without any success at ridding myself of the problem.  I could, I suppose, as an example remove the movie maker piece of it but past experience tells me the only effect will be a change to using the same 'logic' contained in some other dll or exe.  I have indications (past and present) of that scenario occurring.  Pull a dll/exe out of a 'found' footprint, the system gets scanned and a short time later same 'problems', different footprint.  Interestingly; the 'scan' and footprint change oftentimes seems to tie to tools such as NAVW32 although in fairness I should point out that it appears that ANY of the 'scanners' I've used (includes most) can be used/'borrowed' for that purpose as well as MS's own 'search companion'.

In any event, thanks for the feedback.  Maybe this message will set off a lightbulb of recognition either for those who have already responded or those who might yet weigh in with a thought or two.

I've nothing left to lose.  Might as well try whatever I can in the time remaining.
LVL 57

Expert Comment

ID: 18042720
The reason I ask is because .dll are not processes and from your list it is impossible to tell what processes are running that may be using some of the dll's you have listed.  In fact you list "SNDFW.log", which is  a log file, not a exe or even a dll.  If this is trully a process that is running, then you have big problems.

netstat -n will only show active, or recently active, TCP connections.  Are you saying that a firewall on your PC showed tcp traffic to/from you PC at the exact time you were doing a netstat command and you saw nothing?

--> accwiz.exe     Microsoft Accessibility Wizard

Maybe I have missed it, what is the excat problem you are having?

Author Comment

ID: 18042924
After some consideration,

Factor 'A' - nothing (literally) left to lose.
Factor 'B' - "it", as stated previously, is a chameleon so the chances are (from my experience over the past few months) pretty good that "it" will change based upon information posted/logged/viewed or whatever.  Part of the reason for my reluctance to post some details.
Factor 'C' - "it" can't fully read my thoughts (yet) beyond supposition based upon what "it" does know.
Factor 'D' - maybe some additional information might cause others to be on the lookout for signs beyond the obvious (there are few of those) before "it" destroys them as it has, effectively, me.

Nature of 'it':

Difficult to fully describe beyond chameleon but here are a few aspects

Screen shots taken.  Suspect Movie Maker plays a role in that although I've also had indications of mspaint, dell picture studio, media player, ms print fax viewer, mspaint, and others.

Keylogging is an element.  Particularly if readily available and not particularly 'apparent' such as DADKEYB or ATI hotkey poller.

Records audio if possible.

The 'accessibility' subsystem plays a role.

Information gathered, packaged, transmitted via virtually any processes it can find available  Chooses easiest first but adjusts as necessary.  A spooled print request destined for a network printer seems to be preferred but will use e-mail, fax, messenger, or whatever, including any 'server' type process that may be running.

Prefers wireless but will bridge if necessary including .v92 modem.

Seems nearly embedded in the event system.  Will detect access to particular files and move elsewhere.  If you do manage to get a copy of something that you "shouldn't" you will likely find it accessed/modified at a later point or possibly 'missing'.  

Able to hide from scans.  Strongly suspect it does so by hybernating on disk OR in memory as the particular scan point warrants.  May cause scans to go into 'not responding' mode for brief periods.  

Scans, finds, and utilizes existing components and/or disguises itself as same.

"It" will modify registry, firewall settings, etcetera, as needed.  Volume shadow copy may be attempted.  At various times, either passively or actively, may establish Remote Call for Assistance or utilize SNMP.  May use netmeeting.

May use RSTRUI or MIGWIZ or both to 'restore' itself under certain circumstances.  Not sure if that is active or passive.  Signs of both depending upon circumstance.  May take control and do a 'system restore'.  May corrupt 'system restore' such that a valid one can not be performed.  May also utilize 'protect' or 'pc health'.

Active 'hacking' and taking control of system tends to be brief bursts to patch/modfiy various processes to further propogate itself or whatever.  Unless you make "it" angry.  Then, the gloves may come off.  :-)

At various times have seem elements indicating chm/wmf exploit.  Believe xml, particularly as relates to "Help and Support" plays a role.

Suspect mydoom variant is involved because of an upsurge in infected e-mails detected by ISP AV about the time the real problems began, and repeated each time I have attempted to 'system restore' or 'restore backup' to deal with the problem.  Note that some got through the ISP and were picked up by system AV.  This last time I attempted a reinstall (the 13th) to a virgin drive my ISP filtered 12 on the 15th, up from an average of 2-3 that has been ongoing since the initial surge last March.  In my/this particular case, however I believe I was reinfected (essentially doing it to myself) when I accessed some files (.doc) I'd backed up from the previous infection.

Prior to the latest attempt to reinstall I had quite a bit of Visual Studio, Macromedia, Coldfusion, PHP, Java and other 'samples' that were, for lack of a better term, used against me.

Some things to watch for - access a folder in Explorer and both desktop and Explorer 'refresh', effectively changing the access times on all subfolders to the current.  Access control panel, full screen refresh when select an item and the selection doesn't take until the 2nd time.  Unexplainable network activity.  The access date/time of files folders that have no basis of 'reasonable' (either no way anything should have accessed or, conversely, should have reflected access and don't).  Same with modification dates.  Surges in CPU activity that can't be accounted for, particularly if there is a large descrepany between two different measuring tools.  Unexplainable I/O level/activitity.  Filemon is good for monitoring that (back in August I fired it up to find every file on my system being accessed, no scheduled or unscheduled scan going on, checked my network to find it maxed with no listed connections anywhere, and discovered Volume Shadow Copy permitted in my FW parameters).  

Some other 'processes' that periodically come into play on a fairly regular basis: tourstart, hearts (hrtwiz?), ntvdm, ntdll, ctfmon, winlogon, svchost, shimgvw, debug, spoolsv.  There's more but, out of context of the particular manifestation of "it" and a given time/symptoms, listing them tends to obscure more than clarify.  Hence, the particular list I provided initially and another reason for reluctance regarding 'details'.  In short; any of it can look like just windows being windows, taking care of itself in the background, unless (like my original posting) it is viewed within the context of the moment (such as the unexplained network activity that was occuring at the same time).

Even then, apparently, it is difficult to determine what was/is happening.


Author Comment

ID: 18043114
giltjr - Sndfw.log was included only because it was accessed at the same time.

Your netstat -n / firewall question - answer is YES but not in this particular instance where neither the netstat or FWs showed the activity (I have another method of detecting activitiy but it can't tell me what).

Are the files (dll, process, whatever) listed tied to that activity?  If so, how COULD they be?  They were the only files accessed (or, indicating that they were accessed) within the specific time period in question.  What process could/might have accessed them?  These are the questions I am asking MYSELF.

Hence, I limited my original 2 questions regarding the list provided.

a) if anyone recognizes how it (those particular file usages) might fit with variation of a known hack/virus/malware footprint.

b) if anyone sees anything wrong with any file sizes.  I can't easily compare/research.

I appreciate your input and understand your confusion.  It is entirely possible that the files in the list are not related to the network activity at all, or that some are and some aren't, or that all of them are for one reason or another.  That's what I'm trying to determine based upon, at best, circumstantial evidence.  It's a hypothesis or theory seeking proof/disproof.  I can not account for those file accesses based upon any activity going on that would be related to what I was doing at the time, particularly rcbyctl -> Microsoft Remote Assistance.  Does, for example, the background process for creating restore points, or some other type of snapshot, use accwiz and zipfldr?  That might be.  But what does it have to do with Movie Maker or Netmeeting.  I can picture rcbyctl possibly being used by Netmeeting.  Netmeeting might account for the network access.  sndfw.log would fit with net activity.  Trouble is, there should not have been any network activity.  Particularly Netmeeting which is disabled.  Where does Movie Maker fit in?  If at all?  The use of netmeeting, including nmwb.dll (whiteboard), certainly ties in, at least circumstantially, with the overall problem I've been having and have been attempting to resolve.  As does Movie Maker (that use is a recent 'replacement', I SUSPECT, since I'm no longer seeing the Media Player component use 'symptoms' that I was previously analyzing with respect to the overall situation).

As I said; I appreciate your input/thoughts.  Thanks.

Expert Comment

ID: 18044748
a) the activity has nothing to do with "disk optimization" XP does behind the curtains?
try disabling that feature:

b) file sizes by themselves don't show much, can you post us the versions and MD5|SHA1 hashes?

Expert Comment

ID: 18044786
there are excellent tools from SysInternals (now part of a Microsoft Corp) for the paranoid amongst us to monitor the various aspects of a system: . Try them and you might just crack the case.
LVL 57

Expert Comment

ID: 18045280
--> They were definitely 'accessed' at the time indicated.

That does not mean they were running.

I am attempting to understand what you want.  To put is simply, it seem that you believe that your PC has been compromised.  Is that correct?

If so what makes you think this?  Suspect network activity?  If so, install a packet sniffer and sniff away while you think the traffic is going.

--> (I have another method of detecting activity but it can't tell me what)

Can you tell us what your other method of detecting network activity is?


Author Comment

ID: 18049280
i'm well aware of the sysinternals tools and have been using them for quite some time.  They have been helpful toward noting 'suspicious' activity (such as the Filemon example I provided earlier) but I have been unable to pinpoint the cause of that activity.  Regarding "disk optimization"... In the case of heavy behind the scenes disk activity that may, and does, account for some instances that I have noted, as does maintaining info for system restore/last known good, and a few other things.  I have had some success in being able to distinguish that (partly by, for example, disabling system restore and some of the other aspects of 'normal' background activity as you suggested) from other activities which seem to make lesser 'sense' such as the volume shadow copy I mentioned.  In any event, in THIS instance I'm questioning the "suspicious" network activity.  


-->That does not mean they were running.

Granted AND fully understood.  Consider however that I'm dealing with a particular 'suspicious' activity occuring within a particular 1.5-2 minute time frame and that those were the ONLY files that specifically reflected 'access' during that particular time frame.  Add, that there does not appear to be any 'reasonable' explanation for at least SOME of those files being accessed during that period.  Does that not, at least, warrant asking my initial question regarding whether anyone might recognize similarities to a known problem related to those files being accessed?

-->To put is simply, it seem that you believe that your PC has been compromised.  Is that correct?

Yes.  I know beyond any doubt that it WAS compromised.  That, following a 'disk wipe' and reinstall from backup it WAS, again beyond doubt, compromised.  That, folllowing a complete clean reinstall of my server and installation of a virgin drive on my XP, and reinstallation of OS, and NIS, and download of applicable updates it was, again, compromised.  At that time I decided to reinstall the XP from backup and spend more time on the analysis of the problem that I had been working on because I already had copious notes, etcetera, knew in general terms what I was dealing with and had some hope that perhaps an upcoming 'security update' (I'm using that term to encompass AV and all eteceteras) might put an end to the compromise.  THIS time, having given up all hope other than that perhaps I would not be 'targeted' again, it is another virgin drive and reinstallation of OS.  Following the intallation of the original XP SP1, and OEM drivers, I was in the process of gathering some basepoint information (directory contents, permissions structure, registry snapshot, and so forth), reviewing/setting up in general, when I noticed a case of a possible netmeeting connection (conf.exe, nmwb.dll) followed, 4 minutes later, by what appeared to be a call for remote assistance (rcimlby and associated ras...) that potentially might still have been, and I have some reason to believe was, 'active'.  I immediately shut down in case it was (not bothering to take the time to look further) and, upon later restart immediately took care of disabling the requisite setting related to remote control and remote assistance.  I had previously disabled the wireless connection (supposedly) and thought perhaps I was being a little paranoid since the wireless was disabled and I had not yet cabled the LAN.  I proceeded with the installation through SP2, Office Pro, NIS, and obtaining updates etcetera.  During that period, and particularly while reestablishing the LAN and getting needed updates I classified my suspicions as paranoid and ignored them.  Since then I have had a number of reasons, remanifestation of problems I was experiencing before, that have led me to the conclusion that my system is, in fact, compromised again.

--> Can you tell us what your other method of detecting network activity is?
I suppose you will scoff but it is the XP, router, Server, and modem network activity lamps that are in full view, either directly or peripherally, at all times.  I'll pardon your laughter.  Bear in mind, that I'm a one man, one server, one workstation environment and have been conditioned over some period of time to tune out the 'normal' activity.  'Abnormal' activity is noticeable and, when coupled with other factors, including a certain degree of paranoia resulting from what I have been through for a fairly extended time period, warrants suspicion and some degree of investigation.  

---> If so what makes you think this?  That is a long story and there is a lot to it.  I've been dealing with the 'suspicions' for just about a year now.  Among other things (and there are many), catching an instance of several FW log entries disappearing as I was about half way through reading the first line.  Having the FW turned off or the entries/permissions changed, connections established between the workstation and server that should not have been, ... , 'struggling' to move my cursor in one direction to make a property setting while it is trying to move in another to a different connection, ... , being locked out of my own system, ... , network activity while in safe mode with no network, ..., system shutdown while in recovery mode, ... , system 'crashed' while dealing with an obvious case of active hacking and attempting to block it, ..., obvious system restore triggered remotely, and so forth.  However, as I said before, without the overall 'context' to go with all that the 'information' in and of itself is essentially useless, at best.  Furtunately I at least have the context to refer back to and certain patterns that are establishable for warranting further analysis.  Some of those prove to be dead ends, others lead to further patterns.  

---> Suspect network activity?  If so, install a packet sniffer and sniff away while you think the traffic is going.
Been there.  Done that.  At best at this point some justification for my paranoia, some tie-ins to netmeeting, remote assist, fax, print, and seemingly associated encrypted packets destined for some anonymous servers.  

Meanwhile, the search goes on, the settings continue to change, the suspicious activity continues.  And, the patterns continue to change.  To whit, "You reported this...  I'll do it this other way now".  I am hopeful that having removed much of what was worked with in the past from my system the possibilities of change will be reduced sufficiently to enable dealing with more detectable patterns and more limited options for change.  Not that that will really do me much good at this point but perhaps finding the trigger/kernel will be worthwhile.  I'm fairly certain I'm not the only victim.  I just happen to be one who poked back.

LVL 57

Expert Comment

ID: 18051231
I found some of your other posts, dealing with the hack.
I would really suggest that you turn this over to experts.  If your anti-virus scans have not turn anything up, then this must be new.

If you really want to try and catch this on your own, I would suggest getting Sysinternals tcpmon and just let it run (logging to a file of course).  Once you see the suspicious network activity, unplug your network connection and then examine the file.  This will give you the program.

I would not do anything on the computer while tcpmon is running.  This way nothing you do will cause any traffic.

You stated that you captured what appeared to be enctypted packets going to an anonymous sever.  Well no sever is truly anonymous.  There is an IP address and somebody owns that address.

Author Comment

ID: 18053763
giltjr -

--->I would really suggest that you turn this over to experts.  If your anti-virus scans have not turn anything up, then this must be new.

The AV (etc) scans find nothing and that includes the majority of scanners, on-line, safemode, normal mode, individually, in combinations, etcetera.

I've contacted various 'security tech support' seeking answers to various specific aspects as well as overall picture (Symantec, MS, ...).  End result = "Contact the FBI".  I've been in contact with both local police and FBI.  End result (interpretation) = "Sucks to be you", (actual position) = "If you can isolate specific IP, and its not an anonymous, we may be able to help.  If its anonymous it will require NSA to track and, realistically, they won't become involved unless a clear 'national security issue' can be shown. yada yada yada."

I've used a good many of the monitors and other methods in various modes of operation and 'schemes' and combinations.  It's actually possible that I do have the IP somewhere in my notes but it will take time to analyze/interpret all of that as well as various related 'circumstantial' evidence that fits with it.  That's a bit like putting together a jigsaw puzzle with no real idea what the final picture should look like (my original post here being one small possible piece of it).  At one point, many weeks ago, I believe I might have caught 'it' with a quick netdiag/debug to a text file (this was after having determined that netstat could no longer be trusted).  Unfortunately, I only took a quick look, said 'ah ha', went to check some potentially corroborating 'evidence', found it, went to reexamine the diag file  -- very hi cpu, i/o, unable to down the file again.  When I succeeded in doing so the information I had spotted could no longer be found.  Interestingly, following that 'luck' :-( subsequent attempts to repeat the luck resulted in the network activity stopping immediately upon execution of netdiag and resuming after.

--> If you really want to try and catch this on your own

Unfortunately it appears that I have no other choice.  Also, unfortunately, the damage has already been done and I have no financial resources, or time, remaining.  The outlook looks bleak from where I'm sitting, to say the least.  I take solace in the fact that I've acquired a strong reputation for 'getting the job done - no matter what' and that I will, eventually, get this job done too.  Unfortunately, this time, nobody is paying me to do so.  

Ah well...  Sucks to be me.

Thanks everyone, for your input/thoughts.

I'm leaving this question open for now in case someone, current or future, has an 'ah ha!' moment and can shed further light on matters.  In the event that I lose my access to ISP or EE before I can close it I'd appreciate the forum monitor distributing points as he/she feels is warranted with 'A' for effort.


Expert Comment

ID: 18054079
Hell, don't give up just yet.
 Let's assume that there is a live perpetrator using your resources (from certain signs of intelligence you described). Yet, since only you sit in the close proximity of the console, we can cut this person off by introducing a separate firewall. separate in it's true sense. try to get your hands on a computer somebody is willing to give away for free or even pay you to dispose the equipment. A quiet Pentium box with a monitor, keyboard and two NICs would do just fine. What I would then do is slap an IPCop firewall distro ( on it and before you connect the ethernet patches, lock things down to a bare minimal. _both_ the inbound and outbound. This would give you an easy way to turn things on trickle at a time and see graphic representations of the traffic indicating what exactly is that gives this Activity its gateway to your systems. To avoid revealing your administrative passwd to keylogging even the subsequent firewall tuning should be done on the console of the firewall.
that's it. now go ahead and nail the culprit..

Author Comment

ID: 18055926
jakoprit - Not certain I understand the detail but I grasp the gist of it and the idea has merit but won't be able to do so any time soon unless I can find some work/money to keep my head above water.  I also have to take into account that, so far, 'it' has been able to hide very well from everything (see earlier posts) I've attempted.  Not certain what portion of that is 'active' and what portion 'learned' but, at the moment, I'm attempting to keep everything at a minimum and not introduce too many other variables into the mix of hardware etcetera.  I still have not fully analyzed the tcpdump I set up on my server the other day.  However, at I indicated in an earlier post my 'sense' was that the activity I was attempting to catch did not occur during the dump period in spite of doing everything I normally do or am doing when the symptoms occur.  Interestingly, in a sense the lack of the activity tends to confirm rather than alleviate suspicions regarding being compromised.

An interesting point - I've been noting access to usmt/migwiz.exe and restore/rstrui.exe corresponding to every XP restart while connected to my server and not when disconnected.  I noticed this pattern, as a relatively new one at least with respect to consistency of occurrence, yesterday.  Previously; while rstrui and migwiz have fit into my analysis of suspicious activitiy I could find no specific pattern/consistency.  The pattern was repeated 4/5 times yesterday on my boots and this AM, but was not repeated on subsequent boot this afternoon.  Of course it is entirely possible that this is just an odd coincidence and another dead-end regarding patterns.  Still; and admitting that I may, at this point, be a bit too paranoid, the lack of an 'explanation' fits with my sense of 'it' adjusting itself based upon what I do, report, etcetera.

Also; I have to keep in mind that the FW on my server is NOT going to let anything into my XP that I haven't requested.  The backdoor has to be on my PC and had to get there, I think, either from the installation CD's themselves or from accessing certain documents I had stored on my server before attempting to acquire the windows/NIS updates (the server was physically disconnected from DSL when I retrieved those documents but it still, I think, was a mistake on my part).  Of course, once in here and with the requests for netmeeting, remote assistance, print, messaging, or whatever being received by my server FROM me the server will process accordingly.   I have had past, and present, indications that my server is playing a role in things.  Still, I think the key is on my XP.  I also think 'it' is at least partially crippled at this time both from an active hack and passive spy standpoint.  'It' may even be attempting to erase itself.  That's okay though because I still have 2 other hard drives, copious notes, and quite a few CDs containing trace evidence in case it actually manages to do so.

I won't give up.  Not as long as I am still breathing.  I'll just be slowed quite a bit until I can manage to recover from the financial problems that have been caused by 'it'.   When I do find 'it' I will most definitely collect my pound of flesh.  Bank on it!

Expert Comment

ID: 18057075
Sounds to me that the hacker is quite experienced, or could be a newbie, mainly because he/she/it moved your mouse instead of running console programs piped out into a network stream.
If anyone (literally) else, even your family or friends, have ever accessed the machine, then they could be downloading a virus accidentally. Or not accidentally.
Also, are you running a vulnerable server? The hacker could find your hostname, (assuming it is a static ip) and then compromise the server again and again. Have you tried isolating the server with Sandboxie as an experiment? I also think that you should unplug your computer from the network and try to find the backdoor implanted on your computer.

Expert Comment

ID: 18057382
OR the opposite to the lockdown - configure the newly to-be-acquired box to be in a bridge mode and capture the traffic from there (not on your compromised workstation). since in the bridge mode the NICs won't have addressable IPs, the perpetrator will not have the slightest clue that you are listening in on him and might get sloppy giving his endpoint destination easily away.
I have amassed quite an amount of aging hardware that I would love to donate to your cause. Unfortunately I live in one of the Baltic states (meaning halfway around the world) and the postage fees would probably stomp my budget :)

Author Comment

ID: 18057514
score_under - thanks for the thoughts.  Basically; been there, done that.  No one has LAN access other than myself and even I can't get to my XP externally via the server without reconfiguring the server.

The cursor movement only one aspect of an 'active battle' after I, somewhat, forced the issue of control by closing off various suspicious components.  In the end, I lost.  I don't believe the hacker is a newbie by any means.  I've been dealing with this for a while.  Not much I haven't tried including moving between isolated and connected XP.  I might point out that, previously, disconnecting the computer and wireless 'disabled' made no difference.  Including during the cursor incident.  I've since, I think, addressed the issue with the disabled wireless.

Symtoms differ between connected and not-connected states.  At least now, with fewer components to work with the patterns become more fixed.  A little while ago, having noted what appeared to be request for remote assistance I killed the connection and ran AV scan.  Of interest to me is the use of sendmail.dll.  It has appeared twice now since yesterday within the context of a pattern I've been following.  As I mentioned previously 'it' changes and also tends, if one connection means is closed, to use another.

I (re)installed filemon today (although I should have gotten a fresh copy) because of the disk I/O waves that keep occurring after a cmd DIR completes.  I started it just at the dir finished.  While I can understand the csrss, to an extent since I am in cmd, I don't yet comprehend the the extent of its I/O after the completion of dir.  Nor the seemingly associated rebuilding, or whatever, going on with respect to GAC components, explorer, and the culmination in winlogon.dll.  It does seem relatively consistent.  I suppose it MIGHT be 'normal' and part of filemon finishing its setup.  I had so many different filters previously when I was using it I may have forgotten what the 'normal' activity was.

Anyway, all thoughts and suggestions are appreciated.  It wouldn't be the first time in my life that I got sidetracked and overlooked, or forgot about, something simple.  The use of sendmail.dll might be a case in point.  I haven't set up either outlook or outlook express.  I've been using my ISP for the last couple of months to minimize potential for infection.  Hadn't really thought of mail as an output path but, apparently, I should have.


Author Comment

ID: 18057875
jakoprit - thanks for info.  Its been a while since I've had to get into the details of network config and would have some learning curve to set up what you suggest.  My background is more analysis/development.  Plus, chances are fairly good that 'it' is aware of everything being posted and suggested. :-(  

Thanks for the equipment offer.  I have boxes, monitors, etcetera in the attic that I could probably rig something from if I decide its worth the effort.  Mostly old.  Since I work on a shoestring budget and only buy what I need (mostly development tools) I would have to think about it.  I doubt the Timex Sinclair would be useful but...

As an aside to all this, I still find uses for my old W-95 system as well as an old DOS box with Windows 3.1.   I've used them on more than one occassion to solve a problem that couldn't be solved nearly as easily with some of the 'latest and greatest', if at all.   :-)    Sometimes progress isn't.    Thanks for the smile!


Accepted Solution

Computer101 earned 0 total points
ID: 18400682
PAQed with no points refunded (of 500)

EE Admin

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Automatically trust updated domain certificates on MacOS 1 54
Trojan 28 116
Mode / vector of infections and attacks 3 39
Better malware protection 9 47
OnPage: Incident management and secure messaging on your smartphone
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question