More brains needed

Seer - Yes I am looking for an answer but it is not the typical question or situation. Thus, I am not looking for the typical answer. Or, perhaps, it could be better said that I am looking for the question that I have not yet thought to ask myself.

 

Peter2150 -
"Honestly this thread is a bit absurd."

I agree.

First I don't believe it's a hardware problem.

I agree.

Second, unless the OP comes up with more info I think any additional posts are a waste of time.

I disagree. Although, I could think the same as a responder rather than OP.

Thanks.

 

Osoban - "A shot in the dark: Has anybody else physical access to your computer?" By break-in and bypass of alarm. I can't say it is not possible (anything is possible) but I do not think it is the case.

A shot in the dark very well fits the context of my post and question. Thanks.

 

How many computers do you have and how are they connected and how are you connected to the internet. (BE SPECIFIC) Who is your isp? Is your router firmware up to date? Have you changed your routers default password? Are you using a shared wireless connection? Are there any 'secret' hardware devices hooked to any of your equipment ? If you have other computers on the network, are they having problems also? If it's a laptop and it has a good firewall, have you tried going to another physical location and reformatted, installed and updated windows? Do you know an exorcist or have an Ebay account to sell this machine . Sorry, couldn't resist . I do think you need to be specific about the way the computers are connected. Specific device names would be helpful for firmware searches. If you don't help us, we can't help you. It's just that simple... Cheers

 

Thankyou for understanding my (our) frustration Not2. These kind of problems annoy you and us. I am sorry for my hostility towards you. Nothing personal.

Shoot in the dark? Hmm.

Do you have a router?

 

Innerpeace - "If you don't help us, we can't help you. It's just that simple"

I am very much aware of the difficulty/impossibility presented given the nature of my posting and question. It is even more difficult to provide the details requested. Your questions are valid. They are also helpful in the sense of their being asked (see my previous response to Seer). But, only in that sense.

Due to the nature of the problem the only real answer I can provide is that your questions are ones that I have already asked myself. I have, at various times, and in various forms and combinations, found the 'answers' as well. But not the problem. The answers vary depending upon the point of time within the overall analysis process and the particular combination of variables. Example: Through proxy server or not. Through router or not. Direct connect or wireless or modem or no connect at all. This ISP or IP or that. Firmware up to date or not. OS up to date or not. And so forth. Not ALL combinations 'asked and answered' but at least the major ones and a few others.

Even if I were to answer with respect to the current, at the moment, setup my experience with this dictates that the information would not be particularly helpful and would waste your time as much or more than my own. The setup might change at any time as I address one question or another and attempt to either isolate, or entice, the *something* I am dealing with into the appropriate corner. And, before someone states the obvious regarding NOT changing the setup, that too has been 'answered' without success.

Thank you, and everyone else, for your questions and suggestions. I remain hopeful that at some point the question will be asked, suggestion made, that will provide the key to capturing the chameleon that I am dealing with.

On a slightly more specific note can anyone point me to a very good, and safe, description of possible feed, audio, 'voice command' attack signatures?

 

vkidv - "I am sorry for my hostility towards you. Nothing personal."

No offense taken and I hope none given. As I said I am aware of the difficulty and the frustration.

Regarding your shot in the dark please see recent response to innerpeace.

Thanks.

 

Peter2150 -

With respect and understanding of your input.

"Sorry, but your last statement is nuts". Again I must disagree.

"You are asking responders for help". I asked for questions to be asked and possibly information regarding tools for locating malware. I have explained, repeatedly, that THAT is ALL the 'help' that I am asking for. The reason for that is that, as far as I can determine, all of the questions have been asked and all of the 'specific details' provided and all of the specific actions taken. Without success, and on much more than one occassion.

"It is not up to them to brainstorm idea's based incomplete informaton". Perhaps my use of the term 'brainstorm' was/is incorrect (see previous paragraph and other responses). It is apparent, since the problem (I mean by that the overall general problem prior to beginning this thread) persists that, thoughtout my long search/analysis at some point a question, tool, procedure was missed and continues to be missed. Thus, the more questions asked, ideas presented, procedures suggested, the better the chance (if there is any chance) what was missed will be found.

"It is your obligation to answer questions people ask" I agree and I believe that I have, respectfully, responded to each, and every, post with the best answer possible under the circumstances. That is, thank you for the question, idea, information but that has been asked or tried or considered and eliminated already. It would serve no real purpose beyond wasting your time and mine to pursue that avenue any further at this time.

"don't be surprised if people give up trying to help you." That is fully understood. I would not be surprised. That too, in a real sense, would be an answer amounting to 'all possible questions have been asked and avenues pursued'. And, I would express my thanks for that as well. I still hold some hope that that is not the case but am prepared to deal with the possible disappointment.

"Your subject implies you want outside help, but it applies to you also." I do and to the extent possible under the very odd circumstances at-hand and the 'general' question posed. I have been as responsive as I can possibly be. The handwritten logs alone, noting times, indications of 'the problem', steps taken, findings or lack of, further questions to pursue, location or type of evidence gathered, and so forth encompasses 7 full notebooks. Then there is all of the related information on various pulled hard-drives, multiple CDs, and so forth. There are multiple 'suspicious activity' notings, many resolved as 'normal', others leading to further suspicion, some tracked as far as could be tracked, some 'resolved' or 'changed'.

Only one thing is certain. *Something* else has control of my system, access to my information, knowledge of everything I do, and the ability to, for example, erase the evidence I occassionally manage to 'capture' before I can pursue it further or use that evidence. That is the reality and even the task of describing how that conclusion was reached, succinctly, would result in a book and take months to write. Even then, I am certain, there are many who would simply conclude 'impossible, crazy, a lie". But then, they have not lived with it or dealt with it or fought with it as I have.

Again, thank you for your input.

 

If this means that you are running a webserver (or 2?)
you might have opened port 80 etc on your firewalls (in router as well)?

and:

It would be a good idea to try to do a fresh reinstall without these.

But I agree that starting by booting with a BARTPE cdrom would be the first thing to do.
Problems persist => Hardware problem (extra hw added ?)
If booting from BARTPE makes your problems dissapear, start using malware scanners from that BARTPE-cdrom or from on-line to scan the harddisk.
If it is a rootkit or something like it, it is unwise to install malwarescanners on a infected system.

On the other hand, to be honest, i am not convinced that you really have a poblem, but you are just testing this forum

 

tuatara - "On the other hand, to be honest, i am not convinced that you really have a poblem, but you are just testing this forum"

I can understand your skepticism. I am convinced of the problem but have no viable way to prove it. If I wished to test the forum, which I do not and am not, I would be better served by presenting a known infection and going through the process with identifiable tracks and facts and procedures (Don't you think?).

Regarding the rest of your response. My system is fairly bare-bones at this time after determining background use of, for example, my VS tools to, circumvent the steps taken to prevent background use of coldfusion and related components. You are correct, at least in general, regarding IIS etcetera with respect to that point in time. That is no longer the case and not applicable at this point in time as the rebuild/reinstall has been done since then. I may attempt that again, with BARTPE, but cannot justify the downtime yet.

Thank you for your thoughts/input.

 

Another thing what you could do, is to have a image of the disk (i mean a copy on another disk) analysed in/on another computer.
That way the possible malware on it, will not be running while scanning for it.
And you would have limited down-time.
Perhaps you even have that (old?) disk already on the shelf.

Of course you need (someone with) a second computer.

 

I think Op is mistaken all the way round.

Mistaken in diagnosis & mistaken in curing.

 

Sorry perhaps i am a bit skeptical, but not negative , i tried to help him didn't i?

It is of course a very strange thing that happens here, it looks as if there is a active rootkit running, or if there is hardware-spyware installed.
Somehow your system turns into a zombie machine.

But the simple things that need to be done, to solve the problem,
which are suggested by others here, and by me, can not be done for some reason?

and..

If the problems are like this, and for the sake of making it possible for you to write a bestseller like: Takedown by
tsutomu shimomura john markoff

I would run a BARTPE cdrom now! Why keep a system running like this
If you have run a BARTPE cdrom you CAN BE for 100% sure,
if it is hardware or software, and it would be easy to troubleshoot,
or scan the software, without having the rootkit etc. active.

If you don't, you never find it, it is that simple.

 

tuatara - "Another thing what you could do, is to have a image of the disk (i mean a copy on another disk) analysed in/on another computer."

Good idea but that has already been done without success.

Thanks.

 

Peter2150 - "The reason people are skeptical is what you are saying is hard to buy." Agreed. It is extremely hard to buy. If I were not experiencing it I wouldn't believe it either.

"Assuming you can identify some behavior, that can be called something having control, then it shouldn't be that hard." That is what I thought also when the behavior moved beyond "odd" and "suspicious" to certain the first time (and since). None of the standard, and some not so standard, scanners/tools could find anything. Took the approach, as you suggested, of a very clean and secure reinstall. Took the approach of pulling the drive and having it scanned, safely, with the help of a friends system. Nothing. Changed IP. No help. Password changes. No help. Etcetera. That whole cycle - "odd" to "certain", scans, reinstall (less) has been repeated multiple times. Each time, once connected to the net the *something* returns. The cycle is repeated.

This time around, I am back to the point of "suspicious". Definite network activity and disk activity via hardware indicators. Logs covering that period either disabled or cleared or both. No indication of 'normal'/'expected'/'likely' event/background activity occuring at the time to 'explain' it. Access to, for example, every file in a 'personal' folder that should not have been accessed. Indication of 'coincidental time frame' access to exe or dll or other files such as those mentioned in earlier posts for which I can find no logical explanation and which, generally, would be used for or associated with establishing a connection FROM my system to some other. No verifiable consistency to that i.e. rcbdyctl one time, conf nmwb another, rasdial another, etcetera. Nothing via scans. Run various monitoring, for example tcdump, for a while but no indications of the activity occurring while monitoring. Suspicious activity resumes when not monitoring. And so on.

Thus, this time around, before repeating the entire cycle again and most likely, as before, not accomplishing the desired results, try to determine the question/tool/approach/possibilitynotpreviouslyconsidered in order to at least improve upon the possibility of succeeding where all previous attempts have failed. As you said, it is just an inert mass and by taking the right steps in the right sequence it SHOULD not be hard to either find the problem or at least prevent it from happening again. Obviously, then, a step was missed, the sequence was incorrect, the right monitoring tool was not used, or WHAT? It makes sense, at least to me, to try and determine that 'what'.

Thanks again for your thoughts and input.

 

zapjb - "I think Op is mistaken all the way round.

Mistaken in diagnosis & mistaken in curing."

That is a fair conclusion given the information at-hand. I hope you are correct but, unfortunately and with no offense intended regarding your expertise, I strongly suspect that you are wrong.

Respectfully, thank you for your opinion. Obtaining opinions is also part of the reason for this post.

 

tuatara said it-

If it walks like it-talks like it-ACTS like it-
maybe it IS-

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1030284,00.html

http://www.bsacybersafety.com/threat/zombies.cfm

Last link was slow to load.

I would most certainly dump my isp.

LL

@Peter2150-'chair/keyboard interface problem' ....lol.

 

tuatara - "It is of course a very strange thing that happens here" Yes. It is most certainly that.

"I would run a BARTPE cdrom now! Why keep a system running like this"

I think my last response to peter2150 may answer that. I suspect that I can run the BARTPE, be 100% certain that either I found the *something* or that it does not exist, and that shortly after that the cycle will be repeated and the *something* will return. Before doing that a) gather more information, questions, tools, and so forth and b) gather more 'evidence' and 'information' regarding 'suspicious' activity or 'certain' proof so that when (or if) the problem reoccurs I will have, hopefully, further narrowed down the range of possibility.

It is interesting to note, for example, that since posting a) the level/frequency of the 'suspicious activity' has been noticeably reduced and b) the 'suspicious activity' has (not once!) occurred while connected to this forum.

Thanks, again, for your thoughts and suggestions.

 

peter2150 - "If something is only happening when you go online, then you could try switching out your router or ISP. TRy a trial on a cheap dial up."

Good thought. I tried that for a while (cheap dial-up, different ISP) but, ultimately, the "suspicious" activity began to reoccur. Consider this: Shortly after doing that my e-mail, once again, began being inundated with infected e-mail captured either by the ISP or my system. That has been a fairly consistent occurance related to the 'cleanup/reinstall only to have problem reoccur' cycle. I am 98.5% certain that that is not mere coincidence.

"Honestly though I am beginning to suspect (with a bit of humor) that your problem may be a chair keyboard interface problem." I have changed the chair and moved the keyboard (system) several times to reduce the chance of that.

Thanks again for your thoughts.

 

locolobo - "If it walks like it-talks like it-ACTS like it-
maybe it IS-" Maybe.

Thanks for your thoughts and the links.

 

Did you try using SuperAntispyware, AVG Antispyware, Rootkit Unhooker?

If you decide to reinstall perhaps a HIPS like Prosecurity, SSM or DSA will help to prevent infection if you can answer the prompts correctly.

 

Honestly, I have never seen such space wasted as this. This is crazy!