More brains needed

This needs to be fleshed out with precise facts, not generalities. For example:

• Precisely how are rcbdyctl, conf, nwmb, rasdial, and msmsgs being used against you at will? What specific actions are taken?
• Note that you can unintentionally reenable messenger, are you certain this has not happened
• During periods of high long-term CPU use with no indication of what is using it - how are you tracking this?
• With file accesses where no access should have occurred, how have you tracked this? Specific files involved?
• On changes to system settings/registry that should not occur - which system settings and registy keys? Be specific
• What do you mean by "I believe, based upon my experiences attempting to reinstall from scratch, that that CD and/or possibly one or more of my other masters that were used during that time period, were compromised."
• You state that "I can, conceivably, order a new XP CD and start from there. But, without knowing what all was compromised, or how, what is the point?" Then what's the point of this thread?
• What is the basis of your suspicion that "Stongly suspect that loading ANY of the other stuff would be asking to be reinfected."

At least to this point I have not seen a single specific observation that would point to infection/takeover/anything. Potential software/hardware issues? Sure. Infection? No.

Blue

 

Seer - "Flashing a BIOS' firmware is a piece of cake."

Agreed.

"It's not hard to imagine a malware that can do the same and attach itself on the firmware."

A little hard to 'believe' but I agree. And, If I pulled everything, reflashed/replaced, and so forth without knowing whether or not that was part of the problem I also would not know what I had erased or how to prevent it from happening again. If, as I suspect, it does not start there but, maybe, ends up there.

"There are many knowledgable users here, if you wait a bit, I'm sure you'll get many constructive responses. These are fine forums."

Agreed. That is why I posted here AND the reason for the 'type' of post. As I stated previously brainstorming can be very beneficial. Part of that is NOT stating everything tried. Better that someone should say 'have you tried' or 'have you thought' than to be quiet thinking '...probably tried...probably thought of...probably knows...' I am knowledgeable but not a know it all.

Thank you for your input.

 

Blue - "This needs to be fleshed out with precise facts, not generalities."

I understand, and respect, both your sentiment and opinion. However, I have been dealing with this issue for over 1.5 years, essentially exhausting the 'precise facts' approach, and at this point the 'generalities' approach better suits the paradigm of the problem resolution process for my purposes.

I will attempt to address some of your questions from that standpoint. With all due respect, posting some of the 'details' you request would serve no useful purpose.

"Precisely how are rcbdyctl, conf, nwmb, rasdial, and msmsgs being used against you at will?" 'how', and even 'if' are both parts of the overall question. Consider, for example, analyzing a change to firewall after noting that some unexpected activity was occurring. Find that, coincidently, rcbdyctl and some related .dll's appear to have been accessed several moments before the unexpected activity was noticed that led to the review of the firewall settings. Was a background call for remote assistance made from my system to provide access to the firewall? Hard to believe. It's 'disabled'. Audit it. Eventually go so far as to remove it because 'odd' things are still happening and the audits, coincidentally, are recorded about that same time. Odd activity seems to have been stopped. Good. Until the activity starts again within hours, or days. This time it 'seems' to be related to conf, nmwb. Why/how? Take appropriate steps. Good. Later, what the h*** reenabled the wireless connection? I could go on but, hopefully, you get the 'general picture'.

"Note that you can unintentionally reenable messenger, are you certain this has not happened" I am aware. Certain that didn't happen? Not in all instances. Others, yes.

"During periods of high long-term CPU use with no indication of what is using it - how are you tracking this?" 'Noting' it would be more correct than 'tracking'. Noting is fairly easy. Very noisy CPU fan, long delays (sometimes minutes) between, for example, key press and response. Tracking is much more difficult. Procexp, procmon, task manager, hijack, provide no definitive clues. Oddly, as an example, task manager may reflect 0% as the low point in those instances where I have had it running at the time and no 'unusual' usage even as the 'symptoms' of that continue.

"With file accesses where no access should have occurred, how have you tracked this? Specific files involved?" No offense meant, but I do not wish to divulge the somewhat proprietary method employed in some cases. In other cases, filemon or similar utilities. Specific file information would be useless, not pertinent to the discussion, at this point.

"On changes to system settings/registry that should not occur - which system settings and registy keys? Be specific." Sorry, no. Not particularly pertinent. AV or firewall disable might be a general example.

"What do you mean by "I believe, based upon my experiences attempting to reinstall from scratch, that that CD and/or possibly one or more of my other masters that were used during that time period, were compromised."" Put that back into the context of the initial post and 'generally' it seems fairly 'specific'. Basically, having been unable to rid myself of the problem even after several reinstalls, a compromised master can not be eliminated as a possible 'part' of the problem.

"You state that "I can, conceivably, order a new XP CD and start from there. But, without knowing what all was compromised, or how, what is the point?" Then what's the point of this thread?" Brainstorming. Obtaining others thoughts regarding what I might be dealing with and how to get rid of it. If a clean reinstall isn't the solution what other option besides finding the cause makes any sense? Reinfection is not fun.

"What is the basis of your suspicion that "Stongly suspect that loading ANY of the other stuff would be asking to be reinfected." Repeated reinfection shortly after network connection after repeated reinstall (isolated machine, no network connections possible)leads me to suspect that. Although, 'ANY' may be a little harsh.

"At least to this point I have not seen a single specific observation that would point to infection/takeover/anything. Potential software/hardware issues? Sure. Infection? No." I fully understand. Can't blame you for feeling, or interpreting, everything that way at all. Under different circumstances I would probably agree. The simple fact is, however, that I have to deal with the circumstances at-hand. So, what software/hardware issue do you think added Volume Shadow Copy to the firewall and began the copy? As I have stated previously I am looking for ideas that I may not have considered and your 'conclusion' seems to warrant some 'precise facts' to justify it.

With all due respect, and meaning no offense whatsoever, I have no desire to be treated like some newbie requiring instructions on how to download and run and report the results of the latest and greatest security tool. As I have stated previously, I am seeking 'general' input and thoughts and ideas from the standpoint and approach of brainstorming with others, with experience, who may have such thoughts and ideas regarding what I choose to post and, be willing to share them. If you need 'precise facts' you will not, necessarily, find them here.

In any event, thank you for your opinion and your participation.

 

It is difficult to resolve a problem that remains unarticulated. That is an issue with this thread.

I disagree.

When you say unexpected activity - what does that mean? On what basis do you expect or not expect certain things?

Actually, no, I don't.

Noise is unreliable since it depends on so many other factors - dust acting to lower heat transfer coefficients, room temperature, ambient humidity, etc., all act to moderate heat removal from your PC. The fan straining only means the sensor believes things are hot, not that the CPU is pegged.

Inordinate response times typically revolve around software conflicts, and occasionally hardware issues.

Fair enough

Details are always pertinent.

Might be or is? Yes, details are pertinent, even in brainstorming. If details are missing, the chance of brainstorming a different issue increases..., a lot.

Let's put it back into the context of operational reality - if it's an OEM disc, your machine is not going to "compromise" it.

Well, a backup program for one - even if the backup location is local. VSC will prepare to access the internet even though the backup is ultimately not to a remote location.

I don't believe I've treated you as a newbie. I've asked for straightforward details nothing more.

Then I shall move on.....

Blue

 

More & more it's like mumble-speak from Op.

And this has been an ongoing issue for over a year & a half. That's way too long.

 

Are you on a network? A home or corporate network? Do you have other machines on it?

You are way too wordy. Get to the point please. I have no idea what details to focus on. If you don't want to be regarded as a newbie, tell us relevant details. Make a bullet point list of everyhing you have tried. We will use that to determine what is wrong. I actually don't think you know what you are talking about. It sounds like poor quality hardware from what you've said.

Please also drop the attitude you have. It's the depressed style, I've tried everything you could possibly try, it didn't work, there's no point in trying. If you want help, you follow our instructions...

Have you scanned other members of your network? If a other node is compromised, that is no suprise you'll be infected again after a fresh install.

 

Blue - "details are pertinent, even in brainstorming. If details are missing, the chance of brainstorming a different issue increases..., a lot."

First of all let me say again that a) I respect your opinions b) I understand exactly what you have been asking, and why c) I understand the 'conclusions' you have presented, and why.

As simply as I can state it, I do not disagree with your statement above in general terms. But, in this particular instance, "the chance of brainstorming a different issue increases" fairly clearly describes exactly what I am seeking in this thread.

Having determined beyond doubt that I do have an 'odd' problem that does 'seem' to manifest itself as 'malware' and having exhausted all of the 'standard' approaches to resolving the issue, the more 'different issues' presented the better the liklihood of an issue/tool/approach being presented that I have failed to consider.

For example, I could point out that I am aware of the relationship between VSC, firewall, and backup and why I know that was not the issue in this case and how I determined that but, overall, going into the precise details would not be beneficial.

Presenting 'VSC, firewall, backup' or 'hardware/software' or 'OEM CD' as possible issues, in the broader general sense, is precisely the type of response I am seeking and beneficial in its own right.

Most posts, I suspect as is the case here, will be about issues or tools or approaches that I have already considered and I can, and wish to, simply eliminate from further consideration without discussion of details. Some, I am hopeful, might be worth further consideration or dialog. I see no harm in seeking that. I am not all knowing. It is entirely possible that someone else's general thoughts may point to that. Maybe it IS a 'different issue'.

Thanks, again, for your thoughts. I am not trying to cause frustration but, unfortunately, in some cases that is bound to, inadvertantly, happen. I apologize for that.

 

zapjb - "And this has been an ongoing issue for over a year & a half. That's way too long". Yes, it certainly is and rehashing or redescribing all that I have done and how and why I have drawn various conclusions simply adds to the frustration of dealing with it.

Put it this way. Simply presume malware, presume all of the usual tools have been ineffective, presume all of the usual steps for addressing that type of situation have repeatedly failed, and presume that the 'problem' can only be 'eliminated' for a very short period before it begins to reappear and gradually worsens. By 'usual' I mean such as Kaspersky, Symantec, McAfee, MS, Spybot, trojanhunter, adaware, spyware doctor, hijackthis, sysinternals, tcpdump, filemon, procexp, ghost, ... I will stop there because the list would become too long and take too long to recall.

What would YOU do in that circumstance?

Please consider that if I were in your shoes and were reading this post and were presented that question in this manner my general inclination would be to respond with something like 'you are crazy, this is nuts, the OP needs some serious help from a mental health professional, waste of time'. That is entirely understandable. Still, it is a serious question.

Thanks.

 

yankinNcrankin - 'sounds like something abit more sinister than you think'.

I don't think it is more sinister than I think.

Regarding the rest of your response. After the 2nd resinstall did not resolve the issue I completely disassembled, let everything sit for 3 days in pieces, and rebuilt with a new, virgin, direct from manufacturer drive, before reinstalling from OEM original CD (XP Pro SP1), upgrading to SP2 using a CD from MS, taking all usual, and some not so usual, precautions (I'm not going to get into details, sorry) to prevent reoccurrance. Long story short, that did not resolve the problem. Nor did the time after that.

Fully understand your post. S**** to be me. At this point, gathering general ideas, thoughts, approaches, and so forth can do no harm and maybe something worthwhile will result. Maybe not. Maybe I'll spend the rest of my life chasing shadows, rebuilding my system forever and ever while 'the sinister one' sips his/her cocktails and thoroughly enjoys the show. Such is life(?) along the information highway. Is it not?

In any event, thank you for your thoughts.

 

vkidv - 'Make a bullet point list of everyhing you have tried'. 'Please also drop the attitude you have. It's the depressed style, I've tried everything you could possibly try, it didn't work, there's no point in trying. If you want help, you follow our instructions...'

Fully understand your frustration. See previous posts. It's not a bad attitude or a depressed style. I'm simply seeking some general thoughts regarding tools, approaches, and so forth for dealing with malware that I may not have considered. If something worthwhile comes of it, fine. If not, oh well. I have no intention of NOT trying but I have no need for or intent of 'following instructions' unless, perhaps, an idea is presented that has not been previously considered and tried multiple times in multiple combinations. Nor do I have any intent of providing a bullet point list of the results of those things attempted or other 'precise details' regarding the manifestation of the problem in its various forms.

Yes, I am aware of the potential relationships between networks and infections.

Respectfully, thank you for your thoughts.

 

I'm just restating basics.

Connecting to net before being totally clean & protected (crit. updates & AV & or other lockdowns). Possibly nullifies all fixes. In this case most probably.

From Major Geeks.
http://forums.majorgeeks.com/showthread.php?t=35407

This will work if followed to the letter. Pita yes. But you've been doing this without positive results for over a 1 1/2 yrs.

And I still say you'd benefit from more concise wording. GL.

 

Hello,

Whenever I read a post like this, I have only one solution:

Regardless whether an infection exists or not, there's a significant bit of a problem, so starting fresh is the best way.

1. Pull the network plug (incl. wireless) from the wall.
2. Restart with Windows CD in tray.
3. Delete Partition Table and make new partitions.
4. Install.
5. Install firewall - or enable built-in one.
6. Install patches, software etc.

- Make sure you use legit programs - you could be reinfecting yourself.
- Make sure your CD is not a cracked one with extra cookies.
- Make sure your personal data does not contain naughty surprises.

That's all, you should solve your problems in about 2-3 hours.

Mrk

 

zapjb - "I'm just restating basics. Connecting to net before being totally clean & protected (crit. updates & AV & or other lockdowns). Possibly nullifies all fixes. In this case most probably."

Believe me. I know. But, as I've said ALL thoughts are appreciated.

Link looks familiar but I WILL check it out.

Thanks.

 

mrkvonic - "... - Make sure you use legit programs - you could be reinfecting yourself. - Make sure your CD is not a cracked one with extra cookies.
- Make sure your personal data does not contain naughty surprises."

As far as I have been able to determine they are legit programs, not cracked CDs, no naughty surprises. Procedures have been followed.

As for reinfecting myself - I am virtually certain that *somehow* that is exactly what has been happening.

What I am seeking are general ideas regarding how to find that *somehow* and get rid of it given a situation where none of the usual and acceptable practices and procedures for dealing with this type of situation have worked.

I can't say that I have tried *every* tool, scanner, monitor, utility, procedure, or practice that exists. I can say that the list is extremely long and includes everything I can think of or was previously directed to, or found through research.

Given the situation more research, additional thoughts regarding where to look or what to look for, or what to try, are necessary. That, sad to say, makes more sense at this time than doing the same things over and over. Although, I AM still doing the same things over and over anyway. Maybe one of the changes in sequence or combinations of tools will be the correct one to isolate and eliminate that *somehow*.

Thank you for your input.

 

yankinNcrankin - "Lets be logical here and keep it real. You either got bad hardware or software or both. Or someone knows something about you ... "

It is all entirely possible/probable/likely. But it is also true that there is a problem, that I have run out of ideas, need to resolve the problem, and have repeatedly been unable to successfully and permanently do so.

The question comes down to 'what did i miss, how did i miss it, how was/is it done (if it was/is and is not hardware/software), how do I prevent it happening again?'

Thanks for your thoughts.

 

Why don't you do the specific routine @ MG?

So what if it takes 10 hours. A guess.

Many thousands solved that way.

Print out directions, download apps & away you go.

Then come back & tell us it worked.

 

Not to go OT, but what you really need to be able to do is to dump out the octal (or binary) report of your entire core memory map and to decipher what is actually running on your system. Since there are tons of routines involved, that could take quite an extensive amount of time to go over. There are only three avenues for something to get installed on your system, through your ROM (firmware), RAM, or hard drive and/or other external source. It is conceivable that any of these parts could be infected or defective.

If what you say were happening to me, I would get another system and start from scratch. I would NEVER totally depend on anyone or anything to rescue a system that keeps malfunctioning or not properly operate for me. No one program or person "knows it all" and if the situation becomes too difficult to resolve, I would start over. In your case, that might not be economically feasible. Both hardware and/or software can be corrupted. There are too many possible areas to examine where you could have a problem. You can go to tech support forums for someone to look over your system reports. You can execute anti-malware programs to see if they help. There is no guarantee that any of them will help. You can reload or rebuild the system, but then you have to determine if each component that you are reinstalling is actually "malware free". If the PC was a closed system (that is, no Internet) it would be much easier to isolate your kind of problem. But even with a closed system, you need to be a hardware and software expert to be able to go through each part with a fine tooth comb.

I don't have a business online so I guess my circumstances would not put me in a position to become dependent on a machine. I have multiple systems so that should one have a problem, then I can use another one. But of course, that is not a viable solution for everyone.

You probably have already done what has been mentioned in these links.

http://www.spywareinfoforum.com/index.php?showtopic=60955
http://www.castlecops.com/forums.html

You may have been infected with something very obscure and rare and difficult to detect. What you really need to do is to find someone who has dealt with your specific situation and found the solution for it. Computers have become too complex for me since I graduated from college. Worst comes to worst, I can always go back to the typewriter and card puncher. Good luck.

 

What did you miss? First off you not specific enough for me to answer, you missing way too much information, Second I'm wondering if you really looking for an answer? You said your system is a lap top right? A Dell? You were already given advice on what to do however you said you been there did that done that. You probably got sabotage by a worker of yours no ? You the only one that had access to your laptop? What programs were you using before the **** hit the roof. What kind of business are you involved in many factors involved. You wanna pick our brains or better yet mines then give me something more than what ifs maybes would ofs could ofs was' and is'. For all I know that laptop you got from DELL was rigged just for you my friend.

 

Honestly if it were me I would scrap your system and eat your losses, and thats my serious answer.

 

I'll just quote this -

I will not say whether I'm wondering the same or not.

Some kind of answer is certainly required by OP....

Cheers.

 

zapjb - "Why don't you do the specific routine @ MG?"

I said I will check it out. If not already done I will try it.

Thanks.

 

ccsito - "what you really need to be able to do is to dump out the octal (or binary) report of your entire core memory map and to decipher what is actually running on your system. Since there are tons of routines involved, that could take quite an extensive amount of time to go over"

Yes. I know. Working on it. As you said it takes time. Also yes to the links.

You forgot to mention the difficulty of capturing the dump when the problem appears to be active. Good thoughts though. Thanks.

 

A shot in the dark: Has anybody else physical access to your computer?

 

yankinNcrankin - 'You probably got sabotage by a worker of yours no ?" No.

"You the only one that had access to your laptop?" Short of an undetected break-in and failed alarm, yes.

"What programs were you using before the **** hit the roof." Full VS suite, Macromedia suite, MS SQL, MYSQL, IIS, Frontpage, Apache, PHP, Office pro, NIS, and a large number of others including in-house developed. List would be extensive. However, after the last 'clean' rebuild only bare XP Pro, NIS, Office, and various scanners and tools used for analysis (hijackthis etc). Not that in the scope of this post it really matters.

Regarding your other post -
"Honestly if it were me I would scrap your system and eat your losses, and thats my serious answer."

I can't say I would disagree or don't understand where you are coming from or that is not good advice. But, my system was my livlihood and my life so what you are suggesting amounts to self-cannibalism.