Where I work we are seeing a bizarre problem that we've been trying to solve for months now. I have never seen anything like it. At seemingly random times, COMCTL32.ocx, COMDLG32.ocx and a few others are 'corrupting' - their size is cutting by approximately half. Every time the problem occurs, the file reduces to exactly the same size: comdlg32.ocx goes from 152848b down to 63659b, comctl32.ocx drops from 608448b to 234403b; in every case the files are binary equivalent up to the point of truncation. I've written a monitoring app which we deployed to monitor the exact date & time these files are corrupting, and have not noticed a pattern. I know the lounge isn't a 'tech support' forum, but I'm desperate for some ideas. This problem happens indiscrimantely to all workstations in our network and has become a major headache. The only app I am suspicious of causing the problem is our AntiVirus suite...that's the only app that I can see having a reason to open these files and read through them - however, their support has never encountered anything like it. Running ProcMon and filtering by apps that modify these files hasn't resulted in any useful data either - then again, we might not be looking in the right place. Any of you guys seen anything like this before?

Sounds like you have a trojan which appends itself onto those files but somehow fails resulting in corrupted files. Arn't those .ocx files used for loading up activeX modules?

Good Luck!

-ddn

weird your antivir guys aren't picking that up. Do they have tools to monitor stuff like that that you could use?

Is it happening on a single machine or on a bunch of different machines?

Quote: Original post by Moe
Is it happening on a single machine or on a bunch of different machines?

It's happening to a bunch of different machines. It's been happening for 2 months now and doesn't appear to be associated with any application or patch roll-out (it started in our pilot group and standard group at the same time, and all apps go to pilot first)

Quote: Original post by ddn3
Sounds like you have a trojan which appends itself onto those files but somehow fails resulting in corrupted files. Arn't those .ocx files used for loading up activeX modules?

Good Luck!

-ddn

Yup. What's strange is that two other DLLs which are part of a proprietary DMS we use in their own folder within program files are 'corrupting' the same way - but none of the other DLL files in that folder have been affected - it's been the same files corrupting every time.

c:\\windows\\system32\\comdlg32.ocx
c:\\windows\\system32\\comctl32.ocx
c:\\windows\\system32\\MSCOMCTL.ocx
c:\\windows\\system32\\vsFlex7L.ocx <- Proprietary
c:\\program files\\interwoven\\worksite\\IManExt.dll <- DMS
c:\\program files\\interwoven\\worksite\\IManage.dll <- DMS

comdlg32.ocx and comctl32.ocx both corrupt in tandem. MSCOMCTL.ocx only corrupts on its own. The other two usually corrupt at the same time as well.

As a test though, I am going to run another AV scan on the machines with a different AV package - since a 'failed' trojan seems to be a good explanation.

Quote: Original post by djz
since a 'failed' trojan seems to be a good explanation.

Who says it failed? It could as well have succeeded and turned your company network in a botnet sending spam mails right now... :S

You could try spinning up Microsoft's Process Monitor and see which process is modifying those files? You can just set the filter to that file name and leave it running in the background.

Warning: Running Process Monitor might lag the machine.

edit: Make sure you ONLY have "Show Filesystem" activity turned on even if the filter doesn't list all of the registry and network updates. It will reduce the overhead a fair bit.

Worse case scenario your network is compromised by low level root kit, which you won't be able to detect through simple monitoring (which it seems like is the case).

Look into rootkit detection software and quarantine a newly infected machine and run the full suite of test on it and see what pops up.

Good Luck!

-ddn

Process Monitor can detect a fair few root kits due to the way it works. It isn't "simple monitoring." It was originally designed as one giant hack and Microsoft liked it so much they purchased the company and added holes in Vista's armour to allow it to continue to work.