Aternoon all, Long time lurky/admirer, first time poster. I am having fits trying to isolate anything about this infection. Being brand new to W2K isn't a huge help I must admit. Symptoms: Password window bypassed at logon, Admin Tools/services being reset, browser constantly reverting to unknown alternate, Shmgrate.exe placed Set Program Access and Defaults in Add/Remove Programs window, unable to 'fix' (03) Toolbar or (04) [ICQ Lite] with HT, windows search works intermittently, cannot access 'Internet' under IE/tools/options...highly suspect of registry manipulation. Local settings missing from both named user and Administrator, cannot access clipbook and/or files .... Cleaning and removal: Spybot S&D, Adaware, TrendMicro, SwatIt and PC Flank all show nothing found (all with latest engines, pattern file, signatures, etc.) (absolutely no inication anywhere here) This is a "bare bones" net machine however it is used every day and it is flat out frustarting as I am pretty hands on and have never had a bug sitch I could not find an answer to until now... Posting HT log and also SwatIt as it is slightly different(shows additional start items and a ZA anomoly) Thanks to anyone who can help. Brett Logfile of HijackThis v1.97.6 Scan saved at 4:28:09 PM, on 11/17/2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\locator.exe C:\WINNT\Explorer.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe C:\Program Files\Swat It Professional\SwatItPro.exe C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Yahoo!\Messenger\YPager.exe C:\Documents and Settings\brett\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SwatItPro] C:\Program Files\Swat It Professional\SwatItPro.exe /tray O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot O17 -HKLM\System\CCS\Services\Tcpip\..\{223C6CC4-443D-42DE-8E14-05ECA62216F2}: NameServer = 204.118.6.2 SwatIt:mobsync.exe, Registry Run (Synchronization Manager), mobsync.exe /logon, C:\WINNT\system32\ hpztsb04.exe, Registry Run (HPDJ Taskbar Utility), C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe, C:\WINNT\system32\spool\drivers\w32x86\3\ SwatItPro.exe, Registry Run (SwatItPro), C:\Program Files\Swat It Professional\SwatItPro.exe /tray, C:\Program Files\Swat It Professional\ ICQLite.exe, Registry RunOnce (ICQ Lite), C:\Program Files\ICQLite\ICQLite.exe -trayboot, C:\Program Files\ICQLite\ ZoneAlarm.lnk, Shell Startup Folder, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk, C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ ZoneAlarm.lnk, User Shell Startup Folder, %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ZoneAlarm.lnk, %ALLUSERSPROFILE%\Start Menu\Programs\Startup\ shmgrate.exe, Active Setup (>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}), "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE, C:\WINNT\System32\ end ::

Hello Brett, I think the best would be you use that excellent program called "Trojan Remover" This is a freeware for one month, then a shareware for the modic amount of 25$ to get unlimited updates This program is the best compromise for people not so familiar with the trojan's betrayal, it works alone, the free download give you a complete updated program to try. Trojan Remover at: http://www.simplysup.com/tremover/details.html

Imp, Thanks for the input. I loaded and tried Trojan Remover with no luck. As with the others TR detected nothing. As an aside to the original post, I have further discovered that the Send To folder displays quite an assortment of files that appearently have been collected and redirected.. This is going to be a quite cute, I suspect.. I'll keep digging and you keep smiling Regards Brett

Go here for an on-line trojan scan: http://www.trojanscan.com/trojanscan/trojanscan.htm

We are going through something VERY SIMILIAR to what you are here! We've been taken, but cannot find any trojan either. I think it is because they may have gotten rid of their entryway themselves... We have 3 pcs here, and many, MANY odd things are going on. There are files we did not put on the systems, things making duplicates without us doing it, and lots of software that I didn't load! I discovered that my own pc has been made into a SERVER, and I seem to be hosting a gaming site! If I delete unknown files, they reappear right before my eyes! I don't know much about networking, but I do know that I am now a "web server" or something, and that my pc is sending out broadcasting messages. (Right now I'm borrowing a laptop from the ex-husband to research this). I changed some of the security settings, and disallowed anyone connecting to my "domain" from deleting their cache - now I have lots of visited web pages that I did not visit! Philidelphia newspapers, and some written in Greek (real Greek!). Looking for a trojan won't be the answer, finding out how to REMOVE A DOMAIN and/or WinSock Server, possibly a MIRRORED drive, will be. And if you do, please help me! Deb

Deb, Sounds like we have the same issues and possibly the same Trojan.. I allowed Services and controller brief access to as a server last evening and found it listening on port 1025.. One of the NetSpy ports.. So, could be NetSpy buried deep in memory. 1025 is also tagged as a source of enrty fo a couple games... Whatever this is has created a user shell, It's own desktop, copied Zone Alarm and reconfigured it and added an instance of IE4 as it's personal browser. It/They moved text, email, image, fax folders to the desktop (My Documents) and hijack Clipboard to copy to. I am denied access to new users Administrative Tools and to the reconfigured ZA. Clues I have are the registry Run key shows Mobsync.exe /logon which sets the stage at bootup and a radio toolobar that doesn't show anywhere in startup picked up by HT.. (the above are just the high points many other issues)I'm with you, I need help, only spinning my wheels now... Have tried every trojan scan I can find plus Adaware and Spybot S&D CW Shredder Anyone with any ideas ? Best luck, Deb I'll keep you advised on this thread...you do the same Brett

Deb I forgot to add that this is almost assured to be a trojan and unless and until it is removed from memory any changes we make are likely to be reversed and it will just keep re-occuring Brett