More brains needed

I'm not a newbie. I know quite a bit about computers, software, security, and so forth. But, I only have one brain, I don't know everything, and I have a problem that I have been unable to resolve using conventional means. Before I wipe my system (for the 5th? time) I thought it might be worthwhile to post here and either gain new knowledge or at least obtain some additional thoughts from others that, perhaps, I failed to consider, or forgot, or just plain didn't think of. After all, two brains are better than one, and more brains can't hurt.

Simply stated, I was seriously hacked, have reason to believe that I still am, and I have not been able to resolve the 'problem'. I've been through the mill, including paying for assistance, without tangible results. My business was, essentially, destroyed. I'm broke and currently unemployed. So, some options are no longer available, including keeping my AV subscription current. Not that it helped in the first place. And, in fact I am not so certain that it has not actually become part of the problem. The conclusion from the paid support (twice) was that I should contact the FBI. I did but, of course, it was/is a total waste of time and effort.

Basically, my own system (XP pro) and its components are being used, or appear to be used, against me (rcbdyctl, conf, nwmb, rasdial, msmsgs, and more) at will. Address one issue, for example, disable calls for remote assist and something else is used. Eventually, discover remote assist is no longer disabled. Or the firewall has been disabled. Or messenger has been reenabled, or the modem was used, or wireless enabled/configured, etcetera. Overall, running in circles. Track one thing, shifts to another. In short, can't trust anything. Including Safe Mode no networking.

Symtoms include network activity with no trace, high long-term CPU use with no indication of what is using it, high disk usage with no explanation, event log not logging events, gaps in firewall logs, file accesses where no access should have occured, changes to system settings/registry that should not occur, 10-15 minutes of high I/O and/or network activity while waiting for system shutdown, account lockout, and so forth.

At the moment I'm simply looking for input/discussion regarding what else I might try to find the problem before attempting another full, clean, reinstall. Last two times the symptoms began reappearing before I'd even managed to
download applicable updates. Haven't been through the full sequence of scans suggested on this forum recently but previous times didn't help and I have little faith that spending the time doing it again at this point will produce any different results.

Idea's anyone?

 

Did this begin with your first ever installation from the discs?

 

No. As near as I have been able to determine it probably started with a chm or metadata vulnerability that opened a backdoor. At the time I had loads of development software on my system providing a wonderful environment for doing all sorts of damage. By the time I realized that I had a problem it was too late. As my attempts to isolate and track became too aggressive my system was, essentially, destroyed. That included, among other things, an active battle over control of my installation CD. I believe, based upon my experiences attempting to reinstall from scratch, that that CD and/or possibly one or more of my other masters that were used during that time period, were compromised. I don't believe it is a rootkit. More likely, again based upon my experience in attempting to deal with it, a very subtle and well hidden backdoor. Once the door is opened the process begins again. I can, conceivably, order a new XP CD and start from there. But, without knowing what all was compromised, or how, what is the point? I could get XP, maybe, installed cleanly but without my tools, documents, etcetera that would be little more use than a paperweight. Stongly suspect that loading ANY of the other stuff would be asking to be reinfected.

Thus, my reason for posting. Maybe someone has an idea of how to find the source of the problem that I haven't considered, a tool I haven't tried, or whatever. Can't hurt to ask can it? (Except someone is 'listening' and has proved fairly adept at circumventing everything. Forewarned is forearmed is it not?) :-(

 

A quick question. Are you running a firewall and or router? I'm sure you know this, but I'll say it anyways, if your computer is connected to the internet without a firewall, (even while updating Windows) the average survival time is about 6 minutes before it is compromised.

Is your copy of XP Pro genuine? I also think you can use another copy of XP Pro to install, but you have to use your license to activate it. This may involve a call to Microsoft.

The good news is that if your now using the computer for personal use, there are many good and free programs to secure it. I'll let the experts take over now.

 

Op is very well versed in english. In this case imo this verboseness hurts.

Maybe restating the situation more concisely would invite better response.

I'd say without this concise restatement. To gather on demand scanners. And to physically disconnect from the internet & any network. And get at least
Infiltration Recovery Tool
http://www.excessive-software.eu.tt/
Infiltration Recovery Tool gives you ability to recover some key system features when facing malware infiltration.
Many trojans, worms and backdoors disable Task Manager,Registry Editor and some even Explorer's Right-click context menu.
You can restore these features with Infiltration Recovery Tool in just few clicks.
Though there is no guarantee that it will work in all situations...

Infiltration Recovery Tool supports all Windows operating systems.

 

Since from what I understood you budget is limited I think that the best approach should be the following.
1. Download and install comodo firewall http://www.personalfirewall.comodo.com/ or Jetico personal firewall http://www.jetico.com/download.htm
Both have great antileak capabilities and maybe will help to identify the problem. (more info http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php)
2. Download and install Boclean http://www.comodo.com/boclean/boclean.html
3. Download and install comodo antivirus http://www.antivirus.comodo.com/ It has some hips capabilities and will help. Reboot the system and if the hips warn you about some applications permit them to lanch but do not select the remember option. After that disable all the features of Comodo antivirus.
4. Download and install Antivir free http://www.free-av.com/ .
5. From the comodo antivirus interface reenable all the features but not the antivirus on access scan. For this is better to use antivir.
6. Perform a full scan with comodo antivirus and upload all the unknown files to them.
7. Perform a full scan with antivir with the heuristics at maximum. It will give false positives but it could also catch the bad guy. Upload all the files that it recognizes as malware both to comodo and antivir. It will not hurt to upload the at the www.virustotal.com too.
8. Install peerguardian http://phoenixlabs.org/pg2/ it has great logging capabilities and it will help you review where your pc is connecting when you do not use it. Do not install the antip2p list because it will block the connection with comodo and you will not be able to update the comodo programs or upload the files to them. But you can use the other lists. For more info about peerguardian lists http://www.bluetack.co.uk/forums/index.php?autocom=faq&CODE=02&qid=17
9. Install hijackthis http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

10. Go at the forums of comodo fttp://forums.comodo.com/, avira http://forum.avira.de/ and ask for help there too. As you said the more brains the better.

Hope it helps a little,
Panagiotis

 

I kinda agree with this. Long posts but rather short in details. Let's first see what measures have been taken so far...

FBI
Please tell me, what exactly is paid support? Who are they? What exact steps they took before suggesting something like - FBI?

How exactly did you come to this conclusion?

CD? Compromised? Isn't that read-only?

What attempts? You're not telling us much here, buddy...

 

I'm very dubious of Op's situ. Thanks Seer for stating what I couldn't find words.

 

Yes to the firewall. Yes to the genuine. Yes to the contact MS for new CD.

 

Thanks Pandlouk. Sooner or later SOME scanner will find it if for no other reason than they are all being constantly updated and I'm fairly certain that I'm not the only one 'infected'. Perhaps just a little more aware of it than some.

 

Seer. Were I to post all of the details of everything I have done since the problem began, scan results, logs, tools used, symptoms encountered, conclusions reached and how, and so forth everyone would REALLY complain about the length of my posts and probably be none the wiser.

The 'paid' support was to 2 of the better known and respected companies in the security industry whom I prefer not to name for reasons that I shall keep to myself at this point. The 'FBI' request was for the purpose of acquiring assistance to further track some connections through anonymous servers that were suspect given the information diagnosis at that time.

As I've stated - this post is simply for brainstorming and possibly finding scanners or tools that I haven't previously tried. Preferably free because I've already spent to much. Any ideas regarding how the problem is hiding itself or how it manages, for example, to establish a request for remote assistance from my system when that is disabled, or track the connection, are welcome as well.

Simply put, my system presents strong symptoms of someone else periodically controlling it, monitoring it, and doing such 'damage', for example, as altering my firewall or registry or policy or other settings.

Thanks for your thoughts. I fully understand your skepticism.

 

Do you have multiple CD rom drives?

You might wanna scan your discs and your hard disk from another machine.

 

Zapjb. I too would be very dubious were I to put myself in your shoes. In fact, I have a problem believing that its happening myself. Unfortunately, things like, for example, having my system at 100% cpu, disk at high load, major network usage, and eventually being able to determine that Volume Shadow Copy was added to the firewall with full permissions, lead me to think that I'm not quite as insane as most people might suspect.

One more thing before someone asks, during that particular episode neither of the 2 firewalls nor portreporter nor the event logs logged anything. They appeared to have stopped recording about 10 minutes before that (or were stripped). Perhaps coincidently conf.exe and nmwb.dll (among others) were accessed 2 minutes after the last log entries.

Do you happen to know of a good tool that would log name, start time, and and network connections for processes started. I need one that won't either totally bog down the system or require so much filtering to prevent that that they are useless?

I would particularly like to be able to log activity occurring during the period between boot and completion of the startup processes and those between shutdown request and poweroff.

Thanks.

 

Vkidv. Yes I do. Yes I have. Not this latest hard-drive from another system but 2 of the prior. No better luck with the scans than when the drives were active.

Thanks.

 

Is your machine custom built or from a manufacturer?

 

Are you (physically - plug pulled) disconnected from any net when trying fixes?

I wouldn't connect at all until solved.

 

OK. I'm not that skeptic, I just like to start from the beginning. "Not a newbie" is a loose term.

Are you suggesting that something like a BIOS rootkit (sorry, I can't provide any reliable link, you can Google it) somehow got onto your system? No, it seems I'm suggesting it. Something that controls your hardware on a lower level than HD and stays on flashable chips, so format cannot kill it. I'm actually not quite sure if something like that exists. But I assume your BIOS has been flashed already, right? I am not aware of any other flashable chip on a m/b that could be (theoretically) a hideout for a malware. External cards (video) has a BIOS too.
Have you contacted your ISP? What do they say?
Other than that, I'm clueless... A hardware issue?
You should've lost me by now... I'm just thinking aloud.

 

What kind of computer you got and how old is it?
I think you gonna need access to another computer to dl your drivers unless you got them on disc from the manufacture of your computer or maybe you may be lucky and upon boot of windows they will be recognized already and not have to reinstall drivers like for your ethernet etc.

Once you back your data up using a live CD like Bart or winPE or maybe even some live linux CD. I would unplug everything and start removing everything from the mother board memory, PCI devices etc. just so you can check out the status of the parts and reseat them properly. Remove the cmos battery or press its reset switch if it has one then kill disc your whole drive http://www.killdisk.com/downloads/killdisk.zip
or use the manufacture low level disc tool thats designed for your HD. When all is done do the reinstall with your Genuine CD of windows, recreate partition , reformat etc. I personally have never failed in restoring a system this way providing that the hardware is ok. However you lacking in information so good luck.

 

Until I hear different I think Op is trying to fix this while still connected to network(s).

A mistake.

Why with the verboseness & verbage does this feel like pulling teeth?

 

Vkidv - Dell laptop. And, before you ask, while I haven't checked for a bios upgrade recently I was keeping it current at the time. Still 'current' with windows updates (not that that means much) and so forth.

 

Zapjb - the answer to that is 'yes and no', or 'depends upon at what point we are discussing'. As simply as I can put it. At various times during the analysis process, especially when reinstalling, I have completely disconnected including pulling the wireless miniport board, insured 'virgin' from mfg new disk drive, and so forth. Would scrap entire system if I could afford it or thought that would work. Trouble is, if I reinstall any tools, files, or whatever that were from the infected system the odds of reinfection appear to be high. If I don't reinstall any of that stuff there is little point to having the system. If I can isolate/find the 'problem' I could, possibly, prevent reinfection.

 

Seer -
"Something that controls your hardware on a lower level than HD and stays on flashable chips, so format cannot kill it. I'm actually not quite sure if something like that exists."

I have had that thought myself on more than one occassion and for various reasons. Difficulty is in finding analysis tools to check on things at that level. Can't afford, at this point, to hook up another system to, for example, start in Safe with Debug. Some doubts that that would work anyway.

Have also considered that it floats around in 'named pipes' and other 'impossibilities'.

"You should've lost me by now... I'm just thinking aloud."

Thinking aloud was what I requested. Thank you.

 

yankinNcrankn - "I personally have never failed in restoring a system this way providing that the hardware is ok."

Me either until this one.

Regarding your other suggestions/comments. Simple answer is, pretty much, been there done that. Even went to the expense of purchasing virgin drives, twice, for reinstalls not wishing to rely upon killdisk.

Good thoughts though. Thanks.

 

Hey Not2Dum57.

Flashing a BIOS' firmware is a piece of cake. I did it twice on my new m/b since March (newer versions were available).
From Windows, in 0.25 seconds.
It's not hard to imagine a malware that can do the same and attach itself on the firmware. It would, of course, have to replace a piece of code in a firmware, as this is always the same fixed size - in my case 512kb. But I find it doable. Although I really don't recall I heard of such case in real-life.
There are many knowledgable users here, if you wait a bit, I'm sure you'll get many constructive responses. These are fine forums.
If I think of something else, I'll get back to ya.

EDIT: In the meanwhile, take a few minutes to read this.It's from 2006. (credibility unknown)

Regards.

 

Zapjb - "Until I hear different I think Op is trying to fix this while still connected to network(s)."

At this particular stage of the game you would be correct.

"A mistake."

In general I agree with that 100%. But, was unable to resolve the problem during months of that approach or use the system for anything worthwhile. Once reconnected, reinfected, gets worse over time. So, at this point, maybe there will be an actual benefit to doing it this way. Also, at this point I have little other choice.

Thank you for your input.