impossible situation

[needtoknow]

Are there any experts out there that can help? - I have employed 5-6 computer techs and one networking specialist company and nobody can figure out what is up with my computers. We clean the hard drive - flash the bios, on one repaired the MBR - and trojan always comes back - a python scripting program that rewites the registry and takes control. Is this a problem at some other level like the video memory or ram? Excuse my ignorance, I am not a computer person - but I so need my computers back as it has been 10 weeks and I have a business that is suffering! Please, any advice! I think that it was a link through this site that helped me discover that it was a "rootkit" about 4-5 weeks ago - Now I need to get some ideas about how to get rid of it!  Thanks

[dl65]

needtoknow........ It sounds like you have more than one machine , is that correct ?
If thats the case, are they all on the same network ?
Do they all share the same resources ?
Is more than one machine infected ? ( it's possible that they all could be infected )
Do you have any idea , what the intruder has been identified as ?

dl65  

[needtoknow]

Hi--
At one time or another there were 3 laptops and a desktop all hooked up on a router - the problem kept reoccuring and eventually we were down to just hooking up the desktop to "wait and see". Now I have 2 laptops and my NEW desktop (was infected) at a computer network co x 1.5 weeks and I don't think they know what the problem is. I was told by an online site after sending a report about 4-5 weeks ago from hijackthis that there was a "rootkit" Problem is - we have wiped the drives and reinstalled - and this trojan/virus keeps getting on somehow - somewhere other than the hard drive - I am wondering at what level can virus be?  We only shared a printer. How does the intruder get identified? I know that at one point the registry settings were changed so that even the Norton, Zone Alarm, AVG were not logging correctly. I am so at a loss -- I am wondering if I need an excercist instead of a computer company. Any ideas would be welcome. I almost feel that I should resign to not using computers anymore. I have paid big bucks so far with no results.

[dl65]

 needtoknow..... This may seem like a pain, however , if you could isolate your desktop from the network ........ and run another hijackthis scan and post the log here ........ we would like to have a look at it .

BTW, are the other 2 laptops clean ?

dl65  

[needtoknow]

Hi--
I actually only have one computer (laptop) at home - and this one is definitely infected. My others at at a business (Networking specialists) and they are trying to figure out the problem but aren't getting anywhere. If you can tell me how to hook up a laptop without using a wireless connection I will email you a log. We have a internet cable connection. Will a log do anything more than tell you that there are services running that shouldn't be? Thanks for your reply!

[dl65]

needtoknow........ I assume you have a laptop at home with you ...... Can you not plug the laptop into your modem via a cat5 cable ?  There should be a port on it to accept the standard cable ..... ( the same as you use to connect to your desktop )

And yes the hijacklog should reveal something ...... however if the infection is really a true Rootkit ..... it may be in stealth and may not show up .........

dl65  

[needtoknow]

here is the log - I think it is even much more involved than this

thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:48:20 PM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\LJS1\Local Settings\Temporary Internet Files\Content.IE5\645ZQUC1\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [workflo] D:\install\workflow.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe

[GX1_Man]

I have never seen an entire Hijack log file fit into one post.

Why no SP2 on that machine?

[dl65]

needtoknow..... Wow ......... I just had a look at the logfile you posted....... There most definately is something wrong with something .......

Here's what jumps out you.......
1.

Scan saved at 7:48:20 PM, on [highlight]6/29/2005 [/highlight]

  Todays date is Feb 21st 2007

2.

Platform: Windows [highlight]XP SP1 [/highlight](WinNT 5.01.2600)

 The current SP is 2 ........ why do you not have it installed ?

3. I can see no evidence of any Anti virus program installed ........Why not ?

4. I can see no evidence of any firewall installed ...... Why not ?

5. The installed java is also out of date .

6. Do you have all the latest M/S updates installed ?

7. Was this hijackthis scan done in safe mode or in normal mode ?


We await your reply.

dl65  

[CBMatt]

It really is odd seeing such a short log.  One thing I'd like to add...

You may want to move your copy of HijackThis to a permanent location.  You currently have it in Temporary Internet Files, where it and its backups are likely to get deleted.  I would suggest making a folder called HJT in C:\Program Files and moving the program there where it can be nice and safe.

[oddjob]

Two small comments.

needtoknow ... you say your systems "share one printer". Maybe that's the problem. Wiping hard drives, reinstalling but finding the same problem recurring indicates an external issue.

IMPORTANTLY ....do NOT install SP2 on any machine belived to be infected with malware. It will cause more trouble as it won't install porperly.


OJ

[needtoknow]

OK-relax----

I am using this laptop for nothing else than to find out what is going on and why this ugly thing keeps taking over my system. I had to reinstall the ops system and It took me 2 hours to get an internet connection - My focus was not on updating to SP2, it was on getting a log. I found the driver for my ethernet connection and got the log, turned off services for remote server, etc., turned off the computer and went to bed too late. When I got up and booted up all those services were running, and my connection was gone - my ethernet not visible on devices. Can somebody please tell me where the trojan can be besides the hard disk? In the RAM? In the video memory? I am not a computer person! But after repeated attemps to wipe all my computers (new desktop, laptop) this thing always comes back. I don't know if I need to camp out at the police station until computer crime division helps me??? 3 mo's without a computer and I have a business - countless "techs" have not been able to help me. Any ideas??

[oddjob]

You have frequently remarked that you have wiped disks and reinstalled. I have a feeling that something you "reinstall" contains this "bug" or whatever it is.

This file ....

C:\WINDOWS\System32\S24EvMon.exe

.....brings up differing opinions. I don't have it running on my machines personally but others say it is "vital", others that "it is optional and won't do any harm if removed/stopped" and some even go so far as to say it can cause havoc with internet connections and is completely unnecessary. It's a monitoring file/process.

It may be that, if you stopped this process running, you may improve things.

As I say I am not an expert on this particular process (others here may have more idea) but I guess stopping it can't make anything worse.

It would be good to try and get just ONE of your machines up and running before linking it up to the others.


Please let us know what you think.


OJ

[needtoknow]

Yes, I agree that I should try to just get one of my machines up and running - but have not been able to do this in many weeks. I keep getting the same level of control by remote server. My big question is: where can this keep loading from? I am certain that it is not coming in from internet - it did once but now it is being stored somewhere besides my hard drive - Is this information that only a specialist would have? Do I need to find a specialist?  Thanks

[oddjob]

Have you tried disabling/stopping/removing that file I specified in my last post? What was the result?


OJ