advapi and worse!

Hi, I have the advapi bug problem, but it goes much further than that.  I have run all of this past a good friend of mine, semi-retired, one of the top programmers at Seagate -- he has also discussed this with a number of his colleagues -- the collective opinion is that this is one of the most advanced hack infestations they've heard of, giving the appearance of making "impossible" modifications to the system.  But even before I had gone to them for assistance, it was clear to me that my entire computer has been hijacked.  

Every file slips by every scan that I've run, including the big guns (Norton, McAfee, ZoneAlarm), the files are all hiding as legitimtate system files.  Any file which I delete, whether an apparently legit system file of a likely virus file, is quickly replaced.  All of this right after a 5-pass DoD wipe of the hard drive, no internet connection, ALL DSL modem, AC adapters, ethernet cables unplugged.  The hack has activated nearly a dozen various WANminiports (showing up under Device Manager's hidden devices), most of them on various USB hub connections, and indicating that they're sharing, sometimes 3 at a time, the same IRQs and memory addresses.  These devices cannot be disabled or uninstalled, the locations of the (virtual) devices and drivers being located a ROOT/ ... (no %...%/..., just ROOT).

I've found dozens of bogus files in the Windows directory, how they're redirecting the bios to their own on a virtual (non-existent) floppy drive B (I've disconnected my actual floppy drive).  Descriptions of how they're emulating the appearance of the windows bootup and logon process (show this screen with a timeout of x seconds, etc.).  I found a log describing their steps in moving the memory address of my graphics driver to perfectly match that of their own devices.  They've even installed Bluetooth drivers (I have no such devices).  They describe making the necessary registry changes to eliminate the appearances of any hack flags.  Also system files describing modifications of USB ports to serve their purposes.  Another document describes how they're implementing bogus time-stamps.

I've been running ZoneAlarm at max security since before any of this began, a week or so ago ZA began logging massive attempts by the WMI service attempting to lower its security settings, which were logged as blocked, but the next day ZA had been uninstalled, and the system hasn't allowed me to re-install.  I set up Windows Firewall as the best available replacement, but then it becomes disabled as the Security System service is shut down.  

BTW, this is the first time I've been back online since ZA was uninstalled.

Nothing which I delete, no security changes, no disabling of system services, stick -- the system is quickly taken over by LOCAL SYSTEM, NT AUTHORITY, etc, and my own administrative privileges are quickly disabled after a clean reinstallation of WindowsXP, either home or professional.  They appear to be making use of the pagefile and System Volume Information directories.  I know how to use CACLS to gain access to these, delete everything and immediately everwrite the empty disc space with garbage (not sure if that overwriting helps, but I know that just leaving it open space deletes nothing), but subsequent monitoring of those directories shows immediate modification.

I bought a second, inexpensive Dell (OptiplexGT270) as an internet-dedicated machine, having no connection with my infected system, WindowsXP Pro pre-installed, but as soon as I started it up (had NOT gone online), it was already infected.  Discovered later (see below) that the bug had been carried by my Logitech MX1100 mouse!

I've called several local (this is a major city) computer tech shops for help, but when I describe the problems, in particular how it seems to infected harware, they've not wanted (so far) to do anything which would involve attaching any of their own diagnostic equipment to my system, so no luck yet with them.

I've gathered a sizeable amount of documentation, logs and system file txt printounts on all of this -- for now I'll just attach my HijackThis log from my Dell 410XPS (not much help probably, as again I cannot permanently delete anything even though I'm offline), and also a systems info analysis of the OptiplexGT270 (jpg's of the screen -- as far as relevant info, should be about the same as my main computer) which I run from a boot CD, Windows not running.  And I do hope that all of this gets to you without corruption!

This has become an urgent problem, as of yesterday ... I could, though it would hurt, trash my complete system and buy all new, but before I had realized that the mouse was able to transmit the bug I had gone to my mother's to access the web, and as luck would have it her mouse had not been working, so I thought nothing of bringing mine with me to use.  This of course infected her machine, but also her husband's through their LAN, despite his having Norton running.  He is a Regents Professor at the University, so any data loss for him would be catastrophic.  Before my mom's computer had reached the desktop during bootup I noticed an inappropriate amount of HD activity on her computer and immediately hit the machine's off button, then ran into her husband's study shouting for him to turn his computer off immediately, but it was too late for both.

As far as backing up at this point, most of my directories are marked to delete on copy, which did occur when I tried, but I found that by zipping them first I could get them off.  But this would be quite a task with a TB or so of data!  lol  Do you think that ghosting a drive would bypass this potential deletion on copy?  It would still be infected of course, but would still be a backup of sorts.

When I'm done here, I'm going to install an Ubuntu OS -- hopefully this would be beyond their boolean if/then contingencies and I might be able to implement some more effective solutions.

I'll just remind once again, all of this has been verified by my very qualified friend and his associates at Seagate.  Thanks for *any* help!!
hijackthis.log
DSC-0652.JPG
DSC-0653.JPG
DSC-0654.JPG
DSC-0655.JPG
DSC-0657.JPG
DSC-0658.JPG
DSC-0660.JPG
DSC-0662.JPG
DSC-0665.JPG
DSC-0666.JPG
papilioAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

_Commented:
wow...   8 |

Questions:
- does any other hardware seem to be infected other than the mouse?
- you have stopped using that mouse?
- have you scanned with any of the bootcd avtivirus disk?
http://www.zimbio.com/AntiVirus+Software/articles/455/FREE+Bootable+AntiVirus+Rescue+CDs+Download

I have had pretty good luck with Kaspersky live cd :
http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
Download the .ISO file, burn it to disk, and then boot from it. It should ask to download update files, and then scan the system.

Not sure if ghosting would delete anything or not. But if you use a bootcd version of one of the "cloner" programs based on Linux or a Proprietary OS, I would think it wouldn't affect the files.

Not so bright ideas:
I would remove/unplug/disable everything I could, and take it as close to cpu, video, 1 stick of ram, as possible and flash (reflash?) the BIOS to the latest one availble. This is Optional, but considering how nasty this is, it wouldn't be a bad idea to attempt to see that everything is "clean".
Hook the hard drive back up and try a scan with the AV boot cd.

And that all I got at the moment.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
_Commented:
For what it's worth...

Been poking around a little, and most of what I found is from 2005-2008, and seems to say it might be the NetDevil 1.2 virus.

I don't know if I would trust the Remover they offer, but the list of files and Reg entries might help you.
http://www.scanspyware.net/info/NetDevil.htm
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

papilioAuthor Commented:
Hi coral47, thanks for the replies!

Just got up, so I'll look into the options you've mentioned.  I've been using my PS/2 mouse/keyboard ever since I discovered about the mouse.  I've flashed the bios, but as one document indicated (and most of the docs I've mentioned are "legit" Windows/Inf files viewed as text), they're ("it's", the "hackers", whatever) causing the machine to use a BIOS on some virtual B:floppy drive, not the computers' own.  (Lots of REDIRECT commands or references in all of these docs, and my own computer is referred to as a sub-system.)  When I view Device Manager, hidden devices shown, and "View by Connection", there appear to be two parallel lists, one showing my own devices, the other with virtual devices (cannot be un-installed as the drivers are "unknown" and located on this mysterious ROOT, again, not %systemroot% or anything like that -- the devices' enumerators are also simply saying ROOT -- and of course even the ones which I can *seemingly* uninstall come right back.  I can't make a single security-related setting change on any of my drives/partitions/either computer which sticks).  After I've done a clean install on a DoD 5-pass wiped disk, many logs are accessed and modified within seconds to minutes, lots of devices having had "Co-installers).  I'll attach a couple of the more incriminating Windows directory files, perhaps comparing these with some of your own will lead to some insights -- but please everyone, remember to extract these in a secure environment just in case! ;-)  

I run the system info utilities from Hirem's boot disc on a freshly wiped HD before installing Windows -- and the Windows setup goes much too quickly, also a couple of DOS windows flash on the screen for a split-split second near the end of the "Registering Components" statusbar (or is it "Registering [services, devices]", can't remember right now but you know what I mean), and there's no Flying Windows/"Let's Set Up Windows/Do you want to turn on Automatic Updates?" sort of stuff on the initial after-installation bootup, just right to the desktop.  Plus there are some strange and long "Please Wait" pauses during installation.  And when installing XP Pro rather than Home, the first-time logon screen sometimes already shows the Administrator account and second Owner/Administrator account -- with that one showing a user icon pic which I had chosen several installations back!

One problem is that when the installation disc first examines the system configuration, it sees these phantom devices and goes right on ahead to load the driver files for them.

I tried (and paid for the fix) the NetDevil remover, it found a couple of registry entries to change or delete, but no help with the problem.

And yes I've scanned with the bootdisc's antivirus, computer looks clean as it does with every anti-virus/spyware scan I've tried (many of the freebies as well as the Norton's, McAfee, etc.

Also have tried as you suggested the bare-bones hardware setup.

After each installation, it doesn't take many reboots before I get the "ntldr/NTDETECT.COM missing" error (though the Recovery Console shows them as still being there).  I've taken to making a tiny first partition on the drive and just putting these two files on that, making it the boot partition -- not a fix allowing me to boot successfully from then on but it does take a lot longer for the hack to figure out what's going on and corrupt them.  I tried once hiding the WINDOWS/Inf directory, and according to their own (modified) setup log, they had a bugger of a time finding other compatible files for their drivers!  But of course, this is no fix, just wanted to see what they'd do.

BTW, even though I'm getting tons of logons and secondary logons -- LOCAL SYSTEM/NT AUTHORITY/anonymous/username (mine) -- logging in with advapi, I've never located an advapi file on any computer search.

AT LAST I managed to somehow sneak a successful installation of ZoneAlarm onto one of my drives/partitions, set *everything* to ask for permission to access the web as well as communicate with other programs, but they're still getting away with it, though ZA is helping a lot.  Going online, I allow Firefox once, and that darned svchost once -- and then TCPview immediately shows 50 or more  connections piggy-backed on the Firefox connection!

I thought it might help to pre-authorize Firefox and svchost to access only legit ports using ZA, but don't know much about subnet masks and that sort of thing -- could anyone help me with that?  Now that I've got ZA running again (they don't have much tech support on Sundays) I'll try to get some chat help from them.

There are many, many interesting and incriminating *.txt, *.LOG. *.ini and *.inf files in my Windows dir (nearly all of them in fact, the whole directory appears bogus!), but I'll attach a 7z archive of some of the more interesting.  Sorry if this confuses things, but they're not all from the same dates/drives/computers, but are typical.  Some most likely are not relevant.  System info and System component history changes give some idea as to the actual activity taking place, the setup logs seem to be pretty suspicious, also the biosinfo.  I don't know if the layout means anything, or may on the other hand be a key to their own file locations ... just a guess.

Thanks SO MUCH for the help!

p.s.  Just noticed that ZA has been completely reconfigured  :p

system-overview.zip
0
_Commented:
Very odd. A DoD wipe should have gotten rid of it. Unless they figured out how to hide a small piece of code in hardware (like a firmware update), and when Windows hits it, it is enough to start the ball rolling.

Another thought:
Maybe your Install disk got infected with a bad file if you did a slipstream of SPs, or Patches/Updates if you burned them to a disk.
Hang on... you said it did it with Home and Pro.   : /
0
papilioAuthor Commented:
Thanks again for the reply,

That was my main question, where could the bug be hiding (both install discs are authentic), but then as I remembered that there was indeed one common connection between my main computer and the new cheap one which was infected right away, the monitor, I too thought of firmware mem.

I may be onto the right track now though -- my friend at Seagate just called and suggested pulling the RAM card, CMOS battery and moving the jumper from 1/2 to 3/4 and back again, then wiping the drive once more.  I'm waiting right now (for the next 3 hrs) as the drive is wiped, but even before I began the wipe (just a partition delete) I checked the system config with the bootcd and everything looked back to normal, device-wise.  If that works (on my cheap OptiPlexGX270) I'll see if the advapi file still shows up as letting all of these logons and secondary logons on the security events log, then if not, apply the fix to my main system, and hopefully this will be over with.  I'll report back.

BTW, My mom's husband called a techie who went over to check things out, and he insists that there's no way the mouse (Logitech MX1100) could have transmitted the bug, so hopefully things are alright there, though I'll not be convinced till I know that he's not experiencing the same troubles over the next week or so, as his system did show the very same "newly installed" devices as mine.  I'm pretty sure that the techie disbelieves I'm even infected, for some reason, but this is the first time in nearly 20 years on a computer that I've seen anything like this sort of behavior from the machine.  (He did mention though that he has very high regards for experts-exchange!)

I have downloaded both of the first two files you recommended, though haven't tried them yet, but thanks for the links, the tools will be good to have especially if this ends up not doing the trick.

You're great for helping!
0
_Commented:
I haven't seen anything like this either. As far as I know, a virus can't hide in hardware. If someone did figure it out, that scares the **** out of me.
I want in, even if I go down in flame.   : )
0
papilioAuthor Commented:
LOL !
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
>> I bought a second, inexpensive Dell (OptiplexGT270) as an internet-dedicated machine, having no connection with my infected system, WindowsXP Pro pre-installed, but as soon as I started it up (had NOT gone online), it was already infected.  Discovered later (see below) that the bug had been carried by my Logitech MX1100 mouse!

Optiplex GX270 I'll presume rather than GT270.  Was this brand new or second hand?  Any wireless NIC in this machine?  The mouse in itself should not contain a virus or be capable of storing one.


>> most of my directories are marked to delete on copy, which did occur when I tried, but I found that by zipping them first I could get them off.

Use an Ubuntu Live CD to access these directories and copy them to an external USB drive.


>> I run the system info utilities from Hirem's boot disc on a freshly wiped HD before installing Windows

Coff.  Coff.  Mention of that boot disc will get you in trouble around here.  The software on that disc is commercial and hacked.  And you cannot verify that the files on that disc are not virus contaminated.

If you are going to wipe the hard disk with DOD use the UBCD http://www.ultimatebootcd.com/


>> and the Windows setup goes much too quickly, also a couple of DOS windows flash on the screen for a split-split second near the end of the "Registering Components" statusbar (or is it "Registering [services, devices]", can't remember right now but you know what I mean)

I have to ask.  Have these install discs been slipstreamed or patched in some way?  That is the only way I can see the DOS Windows coming up.  And what version of XP is this - original or SP1, 2 or 3?  The original version was not secure when it came to networking permitting drive by infection.



0
TobiasHolmCommented:
>I have to ask.  Have these install discs been slipstreamed or patched in some way?  That is the only way I >can see the DOS Windows coming up.  And what version of XP is this - original or SP1, 2 or 3?  The >original version was not secure when it came to networking permitting drive by infection.

No, Papilio has used two different CD's that ain't slipstreamed "both install discs are authentic".

I'd like to examine that mouse! :D
If you open it up you can check which components inside. It could be a Microchip single chip controller of some sort, and those *can* be reprogrammed if the chip fuse ain't blown correctly.
0
papilioAuthor Commented:
Right, got the message loud and clear about Hirem's -- it's been deep-sixed.  Have had the disc for probably a couple years, no idea anymore from where, though had never used it till last week (long after the problems began, in case anyone's wondering).  I'll use your link, thanks.  And of course, right about the OptiPlex GX270.  And yes it was from eBay, though I would think fairly trustworthy as the dealer had sold hundreds and had 99% or so positive feedback -- but I understand, you never know with a source like that.  But again, was purchased after the trouble was well under way.

Also very interesting about the mouse, I'll pass that along to the techie I finally gave in to calling!  lol  first problem I couldn't handle myself.  The tech man is *very* good, and I' pretty sick of dealing with this.  I tried the solution about wiping all memory mentioned above, but only on the OptiPlex so far, and it has a very strange jumper configuration and I probably did it wrong, so one way or another the fix was ineffective.

I've downloaded Ubuntu in order to retrieve hopefully clean files from the windows machine, so we'll see.  BTW, the Windows Home (the one that came with my original Dell 410XPS from the factory) is SP2, and has for the last several install attempts and will continue to be the only disc I'll use.  Really seems strange still that the first boot from a fresh install on a clean "supposedly" DoD-wiped disc had none of those initial introductory screens, just straight to the desktop every time.  And those windows popping up during setup are of course a new event (I mistakenly said that they were DOS, but no way to tell really, they're too quick.)

Also, what are any of your opinions of Ubuntu, just installed it on the OptiPlex yesterday -- Horrible display so far an my 2405 monitor, but I'm sure I haven't gotten to the part of setting it up correctly, I assume I'll learn how to use the actual nVidia driver which hopefull will take care of that.  Also regarding Ubuntu, I start with the option of allowing it to use the whole (150gig) HD, but it only sets up a tiny partition for itself and runs out of space pretty much as soon as I install a few apps or download  a few larger files.  I'll create a larger partition and install it on that next -- any special format needed?  And does it have its own web protection?  Haven't found reference to any so far.   Finally, how's the Windows emulation?  Is using a virtual drive the way to go, or is there a better (faster performing) way?  My using Windows programs is absolutely essential.

Have been assuming that the advapi bug is involved in this in some way - but noticed on the last Windows Home install that it loaded from the disc, and advapi32.dll showed up right a way on a computer search, though never has before -- even though many of these logons are using that process to get in.  I often get an Event Log error or warning (forget which right now,) that my quota for connections has been reached  That was before any connection to the web.  Starting up TCPview sometimes shows over 100 unauthorized logins at first, many connections closing seconds after the TCPview window pops up.  The Events Log initially shows the correct Sindows Firewall setting of no exceptions, immediately followed by exceptions being allowed.  Also before any web connection, within 15 minuted to several hours every file and directory shows having been accessed, some modified.  All scans with multiple companys' anti-virus/spyware show the computer as clean.

My sincerest thanks for all the replies!
0
TobiasHolmCommented:
You can enable hardware drivers for nVidia card (Menu: System / Administration / Hardware drivers).

You can use VirtualBox and run Windows in it. Use "Ubuntu Software Center" to get it.

Regards, Tobias
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
>>  Really seems strange still that the first boot from a fresh install on a clean "supposedly" DoD-wiped disc had none of those initial introductory screens, just straight to the desktop every time.


Is this a Dell CD?  If so this could be the Dell installation process.  Not familiar with Dell installation CDs.

If it is a Dell CD it may work on the Optiplex.


>>  Also regarding Ubuntu, I start with the option of allowing it to use the whole (150gig) HD, but it only sets up a tiny partition for itself and runs out of space pretty much as soon as I install a few apps or download  a few larger files.  I'll create a larger partition and install it on that next -- any special format needed?


Strange that it is running out of room with that size disk.  That sounds like not enough room in the root partition.

You may have chosen to let Ubuntu choose the partition sizes.

See http://www.easy-ubuntu-linux.com/ubuntu-installation-606-7.html for manually partitioning the disk.

And http://www.easy-ubuntu-linux.com/installation-primer.html

You'll use the ext3 format.


Oh reset your router/DSL/modem in case that is the device that has been hacked.
0
papilioAuthor Commented:
Thanks Tobias, this Linux/Ubuntu is all very new to me -- though I have a fairly advanced knowledge of Window's infrastructure,should be fun learning a whole new system.  

Yes, it's a factory Dell CD dbrunton, and both machines are Dell, but same odd install behavior on both, clearly not the usual visual behavior -- and I've installed from this disc a lot. Yes, I had left the disk unpartitioned (I mean all one partition)and formatted trying both of the normal formats.  I'll check out the links, thanks.  And I've not reset the modem, the one thing I hadn't thought of clearing, thanks again!
0
_Commented:
Alright, the Calvary arrived.   ; )
0
papilioAuthor Commented:
Indeed!  (yourself included.)
0
Mohammed HamadaSenior IT ConsultantCommented:
This is a real weird story I've heard of a similar problem with almost exact symptoms about a virus that would hide in the Logical drive's small cache partition which is 8mb and then becomes active upon installing windows But that was easy to remove with wiping HDD and Delete the whole paritions and re-creating them.

But it sounds weird here becoz I'd never imagine that its logical for a virus to move into hardware pieces.
I think the best way of transferring files from your HDD is using knoppix CD.

GL
0
papilioAuthor Commented:
Thanks GL,

I think it's been pretty much ruled out as having somehow stowed away in the mouse!  

This had become so exhausting that I've totally abandoned it for several days.  I did transfer all data with no losses, far as I can tell, by installing Ubuntu on another machine and having it do the task, so that data is safe and hopefully clean.

I'm pretty sure that my best bet is erasing  ALL memory from the system, wherever it may be on the computer.  So far I've apparently not been able to clear everything properly -- if I understand correctly, a system device configuration report from a bootcd, immediately after clearing everything, should show no configuration at all if I've successfully wiped everything, so I must be missing something, or more likely making mistakes in the procedure.  Would anyone be up to talking me through ... So I'm starting out with a zero-filled HD, but to confirm that I am doing things correctly I'd be grateful anyone's suggestions, explicit steps on :

>  clearing all memory from the RAM sticks
>  the CMOS
>  any volatile BIOS memory

If I can be sure that's done correctly, what else may I be missing?

Thanks, I'm sure I'm close -- but even when I do get it killed I may never know what it was.  Sounds a lot like advapi/NetDevil, I know, but no evidence of that in the registry, assuming I've been checking the correct ones and not missing others.

And one thing in particular still totally puzzles me -- what might cause me to go straight to the desktop on the first logon at the end of installation -- trusted install cd, wiped HD -- and at least half a dozen reinstalls now without once seeing the flying windows and "Ya wanna turn on Auto Updates" stuff first anymore.  There must be a fairly simple explanation for what would be capable of causing that behavior, and may give me some clues.

Thanks everyone!
0
Mohammed HamadaSenior IT ConsultantCommented:
Starting by me, I'd do the following:
1- Disconnect the PC from the network.
2- Wiping Partitions using F-Disk command on a bootable CD.
3- Complete Format (Not Quick) after partitioning the new HDD.
4- Flashing the BIOS, Follow the below link:
http://www.pcstats.com/articleview.cfm?articleID=1605

Also you might be interested in having a hardware solution rather than having a Software antivirus for high classified files computer, Check Kaspersky's new products.

5- http://www.kaspersky.com/news?id=207576021

One thing I'm not sure of, How would you be clearing Memory ? do you mean you wanna replace them with new ones?
It's not difficult to do so if this is what you'r referring to just follow this link:
http://lifehacker.com/138665/hack-attack-how-to-install-ram

Then install windows just as always however i'd recommend that you get a new Windows CD.
Best Regards

0
TobiasHolmCommented:
To clear the RAM you can remove all the RAM sticks and they will be cleared. No need to buy new ones.
0
_Commented:
>>  what might cause me to go straight to the desktop...

I don't know, unless the virus has made a small hidden partition for it self, or is hiding in some place like the reserve sectors.
But zero-filling the whole drive should have cured that.
0
papilioAuthor Commented:
Once again, sorry for not replying in a more timely manner.  


So ... it appears I've gotten rid of whatever it was, by

> Zeroing out the HD (5-pass DoD wipe) from a boot CD, then immediately disconnecting it (after shutting down the machine and pulling the plug)
> Pulling all RAM cards  (BTW GL, no, hadn't meant getting new ones.)
> Jumpering the pins to clear CMOS
> Popping out the battery for a minute
> Flashing the BIOS from a USB stick, with Dell's latest update

Probably some of this was redundant, but 1) I'm no expert!  2) Wanted to be as sure as I could that there'd be nowhere left for it to be hiding.

Reinstalled from my trusted XP Home disc, and once again saw, at last, the usual "Welcome to Windows", etc.  :D  Reinstalled the drivers from the accompanying Dell disc.  Connected to the web (had also reset the DSL modem again), launched Firefox (as always since this began, a fresh DL) -- then just sat and monitored things for several hours.

Not a single one of the disturbing security Events Viewer entries, and zero modem activity unless it was my own, a first in a very long time.  Absolutely no invasive behaviour throughout the system.

I'm not paranoid enough to think this is connected, but just minutes before I was about to attempt the above fix the first time, my beloved Dell 2405 died!  So that kept me inactive until I got its replacement.


Frustrating as this has been, I'll admit that I had prolonged solving the problem a bit, a part of me enjoying the detective work.  I really wanted to know where the seed had been hiding and surviving, as it was clearly not on the HD which I had wiped again and again, before attempting each new possible solution.  And I just plain wanted to know which bug it was!  So I guess I'll have to let those things remain a mystery, it's gone and I can get on with things.

Thanks for the Kaspersky link GL, looks like they're really helping advance the state of virus/malware protection.  I haven't looked into their products yet (I definitely will), but if I understand the news article they're focusing on HD infection, which my problem had moved beyond somehow, though I'll assume it had to have begun there.

I'm also curious how this all began, as in about 15 years I'd never encountered the slightest trouble with viruses or spyware -- I suppose it must just be the result of their advancing sophistication.  For the past couple of months, daily scans with up-to-date programs from all of the big names have been showing my system as clean (including bootcd scans), but quite possibly Kaspersky's would have detected rootkits which the others missed.  

Am I correct in getting the impression that this sort of complete system takeover/hijacking is coming up more frequently lately on the various security forums?


So, I've now switched to Ubuntu.  Which, as I'm new to Linux, brings up a host of new questions!  (Misc Security | "Ubuntu security with Windows XP in a virtual environment")


Thank you all
so much for your time and assistance!

All my best,
Michael


0
papilioAuthor Commented:
I just regret not having been able to identify the bug, might have helped others having similar problems.
0
papilioAuthor Commented:
Thanks again, GL -- I see now how Kaspersky really is directed at protecting against exactly this sort of trouble.
0
_Commented:
Thanks for the feedback and the Points, and I am glad to hear you finally killed it.    : )
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.