unknown trojans or some things seeping into my computer?

I have some thing or some things either in or remotely controlling my computer. I noticed really bad bandwith on my dial up and tried to track it down. Zone alarm keeps showing one main address that keeps attacking my computer/programs trying to get in and once it gets in it uses those programs to send something back to that address again. I guess it's trying to use those as servers.

Nothing is finding much. At first malwarebytes and another program found a few trojan registries but only while in safe mode- I'm sorry, I think I lost the txt files I saved from those logs. They did not find programs. I had Avast antivirus, now have Norton- neither found anything and whatever it is used the update links on them for itself. Tryed malwarebytes, trojan remover, trojan hunter, Spybot, Superantispyware. I've disabled a lot of services like remote desktop etc. - it's still there somewhere.

My mouse is doing small erratic things and I suspect my keyboard is hooked or whatever- snoopfree antikeyboarder seemed infected so I removed it and when I tryed to reinstall it the computer kept shutting down till I removed it again in safe mode. ...I doubt it's coming from snoopfree.

I've reformatted 3 times and it's come back as soon as I access the internet to update antivirus etc. I can watch it come in I think through the AV links in zone alarm. OR... could it be in my bios??

So far it has taken control of firefox, avast antivirus and then norton antivirus connections. Also tcpveiw and any other program which has any autoupdate or link to the net. Oh and it really liked Orbit downloader! It seems to have taken over something called 32 bit DIFx driver installer- installed a program folder for it and it also set up a firewall ip address within zone alarm as safe and used that to download/upload. The address in the zone alarm firewall setting is the same as or owned by the same people as the address that's attacking me. I forget which. I tryed deleting DIFx from "remove programs" and it kept coming back. Deleteing the program folder didn't work either. I reformatted the operating system and stopped internet DIFx permissions with zone alarm and that seems to have helped.

I have windows xp sp2 home edition and am not keen on downloading sp3 in it's entirety- not sure how buggy it is, and right now this thing probley won't let me anyway. It's formatted in NT (I don't know or understand this much at all or if it makes a difference). Asus M2000N notebook motherboard on a desktop. I tryed updating the motherboard drivers when I first got it but it was a mess- had to reformat.

My question is, not only how do I get rid of this thing, but also how do I block whatever hole it's using? I suspect the hole is the DIFx thing. After reformatting it uses DIFx first and when that is blocked it seems it may be "seeping" in through other connections, at this point undetected by zone alarm- I think zone alarm is missing bits and peices or something. I guess need to search MS for security updates I can download seperately. Or does anyone know of a phone line to an actual person to order an sp3 update by mail?

Please excuse my computer terms. This is all new stuff to me. Nothing like a virus to teach one something about computers, LOL. Any help would be very appreciated!

Edited by Kandinsky, 05 January 2009 - 02:49 AM.

I've reformatted 3 times

Exactly how did you do this?

Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

I have windows xp sp2 home edition and am not keen on downloading sp3 in it's entirety- not sure how buggy it is

See the pinned thread "Windows Xp Service Pack 3 (sp3) Information".

MBAM was updated to a new version yesterday. I suggest you update your version, then rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

>>>Exactly how did you do this?

>>>Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

Thank you, I deleted the partition the old windows was on, then reinstalled on the only partition left with "format the partition using the NTFS file system (quick)". Should that have done it or should I also delete the one partition remaining?

updated MBytes, it didn't detect anything.

These links include step-by-step instructions with screenshots:
"XP Clean Install Interactive Setup"
"[url="http://spyware-free.us/tutorials/reformat/""]How to reformat your computer in case of a severe malware infection[/url]"
"Reformat & Clean Install Windows XP"

If you want a thorough check of your system before reformatting again, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".

thank you Quietman7!

I didn't delete all partitions and that is probably it. I'm going through the links you posted & reading them now. I ordered sp3 by mail, it will take a week or 2 to get here (very isolated area) & then I'll reformat. If I still have the problem I'll post in the hijack this forum, if not I'll still post back here and let you know how it went. You've just saved me a lot of time and grief. I've already done most of the things recommended on the "Preparation Guide For Use Before Posting A Hijackthis Log" page. Some very nice tools there

I guess I will also try and order zone alarm by mail and "jail" that DIFx thing and all auto updates as well unless I find stuff that tells me it's secure now. I googled and found a couple of trojan/hack sites that mentioned (if I understand it right) stealing asus mother board and other hardware's windows certification software and using it for a DIFx exploit. I hope the zone alarm people are on whatever this is. I'm amazed at just how sneaky it is.

My mouse is now meandering across this page, perhaps reading what is on it...Gawd, I hope that person get's a life. I mean, I'm not THAT interesting.

oh.... no, I reformatted right. Did everything right & it took over norton while updating. But I didn't unplug the phone lines from my modem during reformat. $%^&*!!

I just found out it may take longer for the microsoft cd to arrive... so I might end up posting on the HJT forum. Thanks again for all your help & info

If you are going to post a log, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your log in the thread titled "Post in this thread when you haven't received an answer in five days.".