HDD / RAM Persistence in something attacking my LAN

Discussion in 'other security issues & news' started by 0peratorX, Feb 17, 2010.

Thread Status:
Not open for further replies.
  1. 0peratorX

    0peratorX Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    16
    Hello, this is my first post in this forum.

    I hope this message is in the right place and will be welcomed.

    I have been having an issue with some sort of malware that has been infecting / re-infecting my PC's for the last few weeks.

    Several issues have arisen including the near loss of one of my large storage drives (not a boot drive). Had to rebuild the partition table and re-initialize the drive.

    My initial exposure to this "thing" was on my wife's PC that began acting sketchy with her wireless mouse and keyboard.

    The mouse was very jerky and the keyboard was slow in responsiveness. Replacing the fairly new batteries did not help with that issue either. So, I begin watching the drive with Disk Monitor and Process Explorer along with locate32 to find newly created files in the system.

    I finally found a few files that were persistently being recreated in a sub-dir of the temporary internet files folder and changed the permissions on that directory to a disabled user (exclusive rights).

    Also, the ctfmon.exe was running on her system even after I turned off advanced text services and had a large I/O byte count. So, I built a batch file to copy over that file with a blank text file named ctfmon.exe.

    I might have done one or two other things (cleaning out the temp folder, etc) but rebooting the machine resulted in the desktop being shown without being able to login.

    Now, by "not being able to login", I mean the keyboard was unresponsive and the mouse was disabled as well.

    The fun part began when I disconnected the network cable and rebooted. The machine came up with a 600x800 desktop with 16-bit color.

    So, I pull out the ghost image and begin a re-install. Only to find that the same thing happened when I got done with the image.

    Convinced it must be on the LAN or in the router, I disconnect all other machines and put up a different router. All to no avail.

    Finally, I decided to re-install from scratch but after a few days - it began doing similar things...

    So, I finally disconnect the power, pull out the hard-drive and random write the entire disk after blowing away the MFT. I pulled the RAM and BIOS battery then shimmed the power switch and left it that way for as long as it took to random write the 40 GB drive.

    Her system has been okay now (I think). Unfortunately, I believe mine has it as well. Although, I am pretty sure that it is in bad shape on this PC, because of all of the tinkering that I do on it.

    There is a possibility that this "thing" does not like the fact that I redirect my user document folders to a different place than default for XP. It also does not like the fact that I have disabled the telephony service.

    There are so many things that have happened (related to this?) in the last month that I am becoming tired of even trying to figure out what it is. No security products have found anything suspicious on the machine. But, I can tell you that there is something wrong with it (folder permissions change, packets leaving my adapter to dyndnds.com, screensaver hard to dismiss, etc...)

    Anyway, just wanted to get this out. My wife is tired of hearing about it / dealing with it and I am ready to throw in the towel.

    BTW, I have built a new install on a different drive that I random wrote on for this machine. But, I have so been hoping to try to figure out what it might be before I put my server 2003 back online (different machine).

    I am gonna be so hacked off if I start loosing stuff before I get it all backed up...
     
  2. Vicenarian

    Vicenarian Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    7
    install Linux.

    jk

    Honestly, (being the noob that I am), I have never heard of anything so persistent. The only thing I can think of would be booting into a BartPE/UBCD4WIN environment and doing something from there?
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Are you sure it's not ctfmon.dll, rather than cftmon.exe ? check closely, because ctfmon.dll is a known exploit. Which might go a long way to explain the problem.

    ***​

    Don't rule out hardware problems. I recently installed a new soundcard in someone's PC and they were having similar problems, Hardware Interrupts - causing sluggish mouse movements, unresponsive keyboard, changing pci slot fixed this, for me. GPU might be on the way out and unable to function in 32bit. Gpu drivers updated? Check running temps on hardware, motherboard, CPU + GPU, HD's.

    ***​

    If you are infected with something nasty, you will get more specialized help with malware removal at places like bleepingcomputer.com, etc. Places where you can post a system snapshot/Hijack log and get it analyzed thoroughly.

    This link is a good place to find help.

    Toodles.
     
  4. 0peratorX

    0peratorX Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    16
    Ah well, the thing is...

    I do computer support myself.

    ---

    Her machine is in good shape. The hardware is relatively new and I keep things tidy and up to date.

    On this machine, the "thing" has been reduced to endless driveling about COM+ this failed, RPC that failed, blah blah blah.

    It is still trying to "do it's thing", but I have really punched it below the belt.

    And every time that I leave this machine, I physically pull the network connection from the back of it.

    There's really very little hope for it. I am just biding my time / see what I can see. There is a nice "new" 320GB drive sitting in front of me with XP SP3 and all updates to two weeks ago loaded on it (pulled it out and dropped this one back in - because snuffing it out without at least getting a good taste of it is not in the best interest of education and future evasion.)

    But, thank you for your suggestion. I think this time I will pass on the repair and go straight to FORMAT |Y C:\ (well, you get the idea... :D )
     
Loading...
Thread Status:
Not open for further replies.