HELP! Terminal Service Trojan??

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)
19 answers Last reply
More about help terminal service trojan
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    A few more details:

    I think that this "thing" sits on a system partition it hijacks during setup
    and then never tells the OS setup is finished so the system partition never
    gets erased.

    It is clearly also doing a system restore or backup at every boot to make
    sure it comes back.

    It also seems to create a shadow copy of itself. The OS reports I run out of
    space for ocassional updates, when everything says I have 25+ gigs.

    A number of the controls appear to be either java or .net "copies".

    Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder
    in c:\windows (unless that's an office thing). Seems to "encode" data into
    media streams and use ADO. Setups updates services so the "terminal os" gets
    patched versions of updates or doesn't install them (or uninstalls them).
    Disables motherboard devices through invalid updates with smbios...maybe
    firmware, which did ables any ability to boot first or get to the cmos on
    some systems.

    Caches software and then runs it through a host3g.dll or similar and looks
    like it uses the processor performance counters to monitor things.

    If your successful in getting the system partition removed, then you've also
    removed your registry so it wont boot.

    Creates $winnt$.inf where I think it may mount from??

    I know this sounds a bit paranoid, but I have all the data....after months!
    of banging my head.

    please let me know if this is all really legit so I can stop looking at
    this!!:)
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
    news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
    > I'll try to be brief and follow-up with a few more details in "reply"
    > posting.
    >
    > It seems I have a trojan (or something...??) that I can't get rid of with
    > a
    > disk wipe.
    > ...

    If you believe you have something on your disk that is surviving a "disk
    wipe" (this really depends on what you think you are doing and how you are
    doing this) - then low level format the entire disk (you do this at your own
    risk and must follow the manufacturers instruction for this process).

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
    news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
    > I'll try to be brief and follow-up with a few more details in "reply"
    > posting.
    >
    > It seems I have a trojan (or something...??) that I can't get rid of with
    > a
    > disk wipe.
    >
    > Why do I think I think I have a trojan?
    > General weird behavior, admins don't have permission for everything,
    > autoupdate doesn't always work, downloads appear to be "filtered" and
    > replaced (certificates on downloads invalid, wrong files, etc.), viirus
    > software is removed, weird port activity, and unfamilar "options" in
    > software
    > installed.
    >
    > Setup Process:
    > =================
    > Ghost &/or diskpartition secure disk wipe
    > Install XP Home w/ two user accounts
    > Install XP SP2 from MS disk (got in snail mail)
    > Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
    > Assoc)
    > Set Passwords for all accounts including Administrator (using net cmd)
    > Connect to Internet (through switch & firewalled gateway-->most ports
    > blocked)
    > Get all latest Updates
    > Install Office 2003 Pro and get updates
    > (also tried various changes to this process including bios/cmos resets)
    > "Scans" are clean w/ software, internet website scans, and adaware/hotbot
    > (believe TS scanned, not host)
    >
    > Results:
    > =========
    > PC appears to be added to a domain w/ AD. Users are <computername>\user
    > Registry has Sidebyside .NET installations
    > Templates and other components, like games, can't be removed through
    > control
    > panel settings
    > Browser cache is "encrypted" and isn't removed through disk clean up or
    > "clear cache"
    >
    > IME-chinese&japanese installed
    > IEAK installed
    >
    > All devices are "legacy" and IDE is installed as SCSI
    >
    >
    > Boot partition is set to: \device\harddrive1\
    > Most hive files saved to: \device\harddrive1\ -- nothing in
    > c:\windows\system32\config\
    >
    > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
    > to
    > "CD_burning"
    >
    > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
    > binary data indicates \??\cdrom mounted on
    > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
    > binary data indicates \??\genfloppy mounted on
    > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    >
    > Registry has HLM->system->Setup key with "allowstart" for
    > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
    >
    > Safemode looks like there are chinese or japanese characters in the corner
    >
    > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
    > altered ACPI values?]
    >
    > and logs like: TSCOS.LOG
    >
    > Here's a snip-it
    > ++++++++++++++++++++++++++++++++++
    >
    > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
    > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
    >
    > hydraoc.cpp(188)Entering OC_PREINITIALIZE
    > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
    > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
    >
    >
    > hydraoc.cpp(188)Entering OC_INIT_COMPONENT
    > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    > state.cpp(1006)Setup Parameters ****************************
    > state.cpp(1007)We are running on Wks
    > state.cpp(1008)Is this adv server No
    > state.cpp(1009)Is this Personal (Home Edition) Yes
    > state.cpp(1010)Is this SBS server No
    > state.cpp(1011)IsStandAloneSetup = No
    > state.cpp(1012)IsFreshInstall = Yes
    > state.cpp(1013)IsTSFreshInstall = Yes
    > state.cpp(1014)IsUnattendSetup = No
    > state.cpp(1015)IsUpgradeFromTS40 = No
    > state.cpp(1016)IsUpgradeFromNT50 = No
    > state.cpp(1017)IsUpgradeFromNT51 = No
    > state.cpp(1018)IsUnattended = No
    > state.cpp(1020)Original State ******************************
    > state.cpp(1021)WasTSInstalled = No
    > state.cpp(1022)WasTSEnabled = No
    > state.cpp(1023)OriginalPermMode = WIN2K
    > state.cpp(1037)Original TS Mode = TS Disabled
    > state.cpp(1050)Current State ******************************
    > state.cpp(1065)New TS Mode = Personal TS
    > state.cpp(1075)New Permissions Mode = PERM_WIN2K
    > state.cpp(1084)New Connections Allowed = False
    > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
    >
    > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
    > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
    >
    > hydraoc.cpp(188)Entering OC_QUERY_STATE
    > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
    > SubcompOff
    > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
    >
    > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
    > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    > subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
    > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
    > section
    > = <TerminalServices.FreshInstall.pro>
    > subcomp.cpp(172)Calculating disk space for add section =
    > TerminalServices.FreshInstall.pro
    > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
    > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >
    > I have lots more data!
    >
    > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
    > Some weird Microsoft copy protection gone bad (desktop not yet validated
    > since I keep rebuilding....laptop shouldn't be an issue)
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I guess what I mean to say is that it survives the "process" of a diskwipe.
    (A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is
    diskpartition). So either, something is booting off the disk and redirecting
    IO or there is something in flash memory somewhere that comes back or some
    combination.

    So since this isn't some know MS thing, I'll start posting more liberally
    around the web to see what I can find.

    Anyway to verify my observations?

    "Mike Brannigan [MSFT]" wrote:

    > "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
    > news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
    > > I'll try to be brief and follow-up with a few more details in "reply"
    > > posting.
    > >
    > > It seems I have a trojan (or something...??) that I can't get rid of with
    > > a
    > > disk wipe.
    > > ...
    >
    > If you believe you have something on your disk that is surviving a "disk
    > wipe" (this really depends on what you think you are doing and how you are
    > doing this) - then low level format the entire disk (you do this at your own
    > risk and must follow the manufacturers instruction for this process).
    >
    > --
    >
    > Regards,
    >
    > Mike
    > --
    > Mike Brannigan [Microsoft]
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights
    >
    > Please note I cannot respond to e-mailed questions, please use these
    > newsgroups
    >
    > "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
    > news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
    > > I'll try to be brief and follow-up with a few more details in "reply"
    > > posting.
    > >
    > > It seems I have a trojan (or something...??) that I can't get rid of with
    > > a
    > > disk wipe.
    > >
    > > Why do I think I think I have a trojan?
    > > General weird behavior, admins don't have permission for everything,
    > > autoupdate doesn't always work, downloads appear to be "filtered" and
    > > replaced (certificates on downloads invalid, wrong files, etc.), viirus
    > > software is removed, weird port activity, and unfamilar "options" in
    > > software
    > > installed.
    > >
    > > Setup Process:
    > > =================
    > > Ghost &/or diskpartition secure disk wipe
    > > Install XP Home w/ two user accounts
    > > Install XP SP2 from MS disk (got in snail mail)
    > > Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
    > > Assoc)
    > > Set Passwords for all accounts including Administrator (using net cmd)
    > > Connect to Internet (through switch & firewalled gateway-->most ports
    > > blocked)
    > > Get all latest Updates
    > > Install Office 2003 Pro and get updates
    > > (also tried various changes to this process including bios/cmos resets)
    > > "Scans" are clean w/ software, internet website scans, and adaware/hotbot
    > > (believe TS scanned, not host)
    > >
    > > Results:
    > > =========
    > > PC appears to be added to a domain w/ AD. Users are <computername>\user
    > > Registry has Sidebyside .NET installations
    > > Templates and other components, like games, can't be removed through
    > > control
    > > panel settings
    > > Browser cache is "encrypted" and isn't removed through disk clean up or
    > > "clear cache"
    > >
    > > IME-chinese&japanese installed
    > > IEAK installed
    > >
    > > All devices are "legacy" and IDE is installed as SCSI
    > >
    > >
    > > Boot partition is set to: \device\harddrive1\
    > > Most hive files saved to: \device\harddrive1\ -- nothing in
    > > c:\windows\system32\config\
    > >
    > > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
    > > to
    > > "CD_burning"
    > >
    > > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    > > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
    > > binary data indicates \??\cdrom mounted on
    > > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    > > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
    > > binary data indicates \??\genfloppy mounted on
    > > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    > >
    > > Registry has HLM->system->Setup key with "allowstart" for
    > > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
    > >
    > > Safemode looks like there are chinese or japanese characters in the corner
    > >
    > > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
    > > altered ACPI values?]
    > >
    > > and logs like: TSCOS.LOG
    > >
    > > Here's a snip-it
    > > ++++++++++++++++++++++++++++++++++
    > >
    > > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
    > > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
    > >
    > > hydraoc.cpp(188)Entering OC_PREINITIALIZE
    > > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
    > > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
    > >
    > >
    > > hydraoc.cpp(188)Entering OC_INIT_COMPONENT
    > > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    > > state.cpp(1006)Setup Parameters ****************************
    > > state.cpp(1007)We are running on Wks
    > > state.cpp(1008)Is this adv server No
    > > state.cpp(1009)Is this Personal (Home Edition) Yes
    > > state.cpp(1010)Is this SBS server No
    > > state.cpp(1011)IsStandAloneSetup = No
    > > state.cpp(1012)IsFreshInstall = Yes
    > > state.cpp(1013)IsTSFreshInstall = Yes
    > > state.cpp(1014)IsUnattendSetup = No
    > > state.cpp(1015)IsUpgradeFromTS40 = No
    > > state.cpp(1016)IsUpgradeFromNT50 = No
    > > state.cpp(1017)IsUpgradeFromNT51 = No
    > > state.cpp(1018)IsUnattended = No
    > > state.cpp(1020)Original State ******************************
    > > state.cpp(1021)WasTSInstalled = No
    > > state.cpp(1022)WasTSEnabled = No
    > > state.cpp(1023)OriginalPermMode = WIN2K
    > > state.cpp(1037)Original TS Mode = TS Disabled
    > > state.cpp(1050)Current State ******************************
    > > state.cpp(1065)New TS Mode = Personal TS
    > > state.cpp(1075)New Permissions Mode = PERM_WIN2K
    > > state.cpp(1084)New Connections Allowed = False
    > > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
    > >
    > > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
    > > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    > > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
    > >
    > > hydraoc.cpp(188)Entering OC_QUERY_STATE
    > > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    > > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
    > > SubcompOff
    > > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
    > >
    > > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
    > > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    > > subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
    > > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
    > > section
    > > = <TerminalServices.FreshInstall.pro>
    > > subcomp.cpp(172)Calculating disk space for add section =
    > > TerminalServices.FreshInstall.pro
    > > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
    > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    > >
    > > I have lots more data!
    > >
    > > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
    > > Some weird Microsoft copy protection gone bad (desktop not yet validated
    > > since I keep rebuilding....laptop shouldn't be an issue)
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    SRGriffin wrote:
    >I'll try to be brief and follow-up with a few more details in "reply" posting.
    >
    >It seems I have a trojan (or something...??) that I can't get rid of with a
    >disk wipe.
    >
    >Why do I think I think I have a trojan?
    >General weird behavior, admins don't have permission for everything,
    >autoupdate doesn't always work, downloads appear to be "filtered" and
    >replaced (certificates on downloads invalid, wrong files, etc.), viirus
    >software is removed, weird port activity, and unfamilar "options" in software
    >installed.
    >
    >Setup Process:
    >=================
    >Ghost &/or diskpartition secure disk wipe
    >Install XP Home w/ two user accounts
    >Install XP SP2 from MS disk (got in snail mail)
    >Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
    >Set Passwords for all accounts including Administrator (using net cmd)
    >Connect to Internet (through switch & firewalled gateway-->most ports blocked)
    >Get all latest Updates
    >Install Office 2003 Pro and get updates
    >(also tried various changes to this process including bios/cmos resets)
    >"Scans" are clean w/ software, internet website scans, and adaware/hotbot
    >(believe TS scanned, not host)
    >
    >Results:
    >=========
    >PC appears to be added to a domain w/ AD. Users are <computername>\user
    >Registry has Sidebyside .NET installations
    >Templates and other components, like games, can't be removed through control
    >panel settings
    >Browser cache is "encrypted" and isn't removed through disk clean up or
    >"clear cache"
    >
    >IME-chinese&japanese installed
    >IEAK installed
    >
    >All devices are "legacy" and IDE is installed as SCSI
    >
    >Boot partition is set to: \device\harddrive1\
    >Most hive files saved to: \device\harddrive1\ -- nothing in
    >c:\windows\system32\config\
    >
    >Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
    >"CD_burning"
    >
    >HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    >\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
    >binary data indicates \??\cdrom mounted on
    >"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    >\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
    >binary data indicates \??\genfloppy mounted on
    >"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    >
    >Registry has HLM->system->Setup key with "allowstart" for
    >AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
    >
    >Safemode looks like there are chinese or japanese characters in the corner
    >
    >Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
    >altered ACPI values?]
    >
    >and logs like: TSCOS.LOG
    >
    >Here's a snip-it
    >++++++++++++++++++++++++++++++++++
    >
    >*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
    >*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
    >
    >hydraoc.cpp(188)Entering OC_PREINITIALIZE
    >hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
    >hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
    >
    >hydraoc.cpp(188)Entering OC_INIT_COMPONENT
    >hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    >state.cpp(1006)Setup Parameters ****************************
    >state.cpp(1007)We are running on Wks
    >state.cpp(1008)Is this adv server No
    >state.cpp(1009)Is this Personal (Home Edition) Yes
    >state.cpp(1010)Is this SBS server No
    >state.cpp(1011)IsStandAloneSetup = No
    >state.cpp(1012)IsFreshInstall = Yes
    >state.cpp(1013)IsTSFreshInstall = Yes
    >state.cpp(1014)IsUnattendSetup = No
    >state.cpp(1015)IsUpgradeFromTS40 = No
    >state.cpp(1016)IsUpgradeFromNT50 = No
    >state.cpp(1017)IsUpgradeFromNT51 = No
    >state.cpp(1018)IsUnattended = No
    >state.cpp(1020)Original State ******************************
    >state.cpp(1021)WasTSInstalled = No
    >state.cpp(1022)WasTSEnabled = No
    >state.cpp(1023)OriginalPermMode = WIN2K
    >state.cpp(1037)Original TS Mode = TS Disabled
    >state.cpp(1050)Current State ******************************
    >state.cpp(1065)New TS Mode = Personal TS
    >state.cpp(1075)New Permissions Mode = PERM_WIN2K
    >state.cpp(1084)New Connections Allowed = False
    >hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
    >
    >hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
    >hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    >hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
    >
    >hydraoc.cpp(188)Entering OC_QUERY_STATE
    >hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    >hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
    >SubcompOff
    >hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
    >
    >hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
    >hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    >subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
    >subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
    >= <TerminalServices.FreshInstall.pro>
    >subcomp.cpp(172)Calculating disk space for add section =
    >TerminalServices.FreshInstall.pro
    >hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
    >+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >
    >I have lots more data!
    >
    >Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
    >Some weird Microsoft copy protection gone bad (desktop not yet validated
    >since I keep rebuilding....laptop shouldn't be an issue)

    --
    First, you are not crackers. this is a very nasty bug that thankfully does
    not seem to be widespread.
    My sytem is infected with it also and I came here to find out how to get rid
    of it.
    As far as wiping the hard drive it doesn't work. I Have personaly increased
    the value of Segate stock
    because of this nasty bug.
    there is a file called delete driver; called from a DODONt.bat
    It removes your driver and repaces it with it's own driver which reinstalls
    of oos
    held in the upper memory of DOS.
    I am trying to figure out how to get my driver back into DOS
    Ithe delete driver command looks like this;
    cd\
    wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
    if exist "%1" rd /s /q "%1"


    REM this file called
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You are not crackers. It removes your cdrom drivers and repaces them
    with a fake driver that links to it's hide away in DOS upper memory and just
    re-installs
    it's own modified version of whatever os you are running.

    I have the same bug and have been hunting a fix for it.
    I have trashed three computers and ruined coutless hard drives trying to get
    rid of this nasty thing.
    The Delete Driver file is called by device driver's DODONT.bat
    looks like this;
    cd\
    wscript c;\hp\bin\WaitAndDelete.jse "%1" /wait:1 //b
    if exist "%1" rd /s /q "%1"

    No one has seen this thing. They all tell me I'm crackers it can't do that
    but it did.
    It takes advantage of several exploits, it's like three worms in one.
    It is even running TaToo to infest jpg files.

    Now this part no one believes but it's in there; I couldn'tfigure out how I
    kept getting re-infested,
    New puters, not hooked to internet and it would load at start up!
    It opens a backdoor port to let a hacker in and he one the original
    infestation must have somehow got into my HP Laserjet 5m
    printer and changed the network configuration files on the printer.
    So now I have to figure out how to clean that and the puter.

    --
    is a very nasty bug that thankfully does not seem to be widespread.
    My sytem is infected with it also and I came here to find out how to get rid
    of it.
    As far as wiping the hard drive it doesn't work. I Have personaly increased
    the value of Segate stock
    because of this nasty bug.
    there is a file called delete driver; called from a DODONt.bat
    It removes
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The two languages you are seeing are regular
    Chinese and simple Chinese.

    I found most of the log files on it's instalation.
    I found a list of all the files it deleted, I am not a computer guru though
    and have no idea how to fix this mess I have.
    I found a per1/cmd script File: Author kumarp 21-August-98
    also there is a RPCRC.BAT that locates and changes the partition
    It (the bug) changes Norton firewall and Virus detection, changed the windows
    firwall,and diables the service [ack 2 patches.

    I am stuck with web-tv so I can't cut and paste.
    i wouldn't anyway as I don't want to give a complete road map
    on how to build and run this monster. But if
    someone at microsoft is will to help us i would be more than glad to print
    this mess out and mail it to them.
    Look for a file regopt it gives the unattended file path.

    There is a file BDMI which shows buildId=44NAheBLW1
    and sets a something called TATOO_VER=61
    I checked the Stmantec site and this seems to be a file for encripting text
    into jpg files.
    Anyone know for sure what it is and what it does?

    I don't know what else to say but hope someone can help us get rid of this
    thing.
    Thanks
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Create a bootable floppy on a known clean machine.
    Boot from that and run the level low format tool from your harddisk vendor -
    there is no way for anything to survive that.
    then boot from the opertaing CD (know to be clean) and reinstall your OS.
    Any further infection is caused by external infection or you're using
    infected media or restoring infected data.

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Merna E via WindowsKB.com" <forum@WindowsKB.com> wrote in message
    news:505A71F75CA60@WindowsKB.com...
    > SRGriffin wrote:
    >>I'll try to be brief and follow-up with a few more details in "reply"
    >>posting.
    >>
    >>It seems I have a trojan (or something...??) that I can't get rid of with
    >>a
    >>disk wipe.
    >>
    >>Why do I think I think I have a trojan?
    >>General weird behavior, admins don't have permission for everything,
    >>autoupdate doesn't always work, downloads appear to be "filtered" and
    >>replaced (certificates on downloads invalid, wrong files, etc.), viirus
    >>software is removed, weird port activity, and unfamilar "options" in
    >>software
    >>installed.
    >>
    >>Setup Process:
    >>=================
    >>Ghost &/or diskpartition secure disk wipe
    >>Install XP Home w/ two user accounts
    >>Install XP SP2 from MS disk (got in snail mail)
    >>Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
    >>Assoc)
    >>Set Passwords for all accounts including Administrator (using net cmd)
    >>Connect to Internet (through switch & firewalled gateway-->most ports
    >>blocked)
    >>Get all latest Updates
    >>Install Office 2003 Pro and get updates
    >>(also tried various changes to this process including bios/cmos resets)
    >>"Scans" are clean w/ software, internet website scans, and adaware/hotbot
    >>(believe TS scanned, not host)
    >>
    >>Results:
    >>=========
    >>PC appears to be added to a domain w/ AD. Users are <computername>\user
    >>Registry has Sidebyside .NET installations
    >>Templates and other components, like games, can't be removed through
    >>control
    >>panel settings
    >>Browser cache is "encrypted" and isn't removed through disk clean up or
    >>"clear cache"
    >>
    >>IME-chinese&japanese installed
    >>IEAK installed
    >>
    >>All devices are "legacy" and IDE is installed as SCSI
    >>
    >>Boot partition is set to: \device\harddrive1\
    >>Most hive files saved to: \device\harddrive1\ -- nothing in
    >>c:\windows\system32\config\
    >>
    >>Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
    >>to
    >>"CD_burning"
    >>
    >>HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    >>\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
    >>binary data indicates \??\cdrom mounted on
    >>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    >>\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
    >>binary data indicates \??\genfloppy mounted on
    >>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    >>
    >>Registry has HLM->system->Setup key with "allowstart" for
    >>AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
    >>
    >>Safemode looks like there are chinese or japanese characters in the corner
    >>
    >>Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
    >>altered ACPI values?]
    >>
    >>and logs like: TSCOS.LOG
    >>
    >>Here's a snip-it
    >>++++++++++++++++++++++++++++++++++
    >>
    >>*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
    >>*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
    >>
    >>hydraoc.cpp(188)Entering OC_PREINITIALIZE
    >>hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
    >>hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
    >>
    >>hydraoc.cpp(188)Entering OC_INIT_COMPONENT
    >>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    >>state.cpp(1006)Setup Parameters ****************************
    >>state.cpp(1007)We are running on Wks
    >>state.cpp(1008)Is this adv server No
    >>state.cpp(1009)Is this Personal (Home Edition) Yes
    >>state.cpp(1010)Is this SBS server No
    >>state.cpp(1011)IsStandAloneSetup = No
    >>state.cpp(1012)IsFreshInstall = Yes
    >>state.cpp(1013)IsTSFreshInstall = Yes
    >>state.cpp(1014)IsUnattendSetup = No
    >>state.cpp(1015)IsUpgradeFromTS40 = No
    >>state.cpp(1016)IsUpgradeFromNT50 = No
    >>state.cpp(1017)IsUpgradeFromNT51 = No
    >>state.cpp(1018)IsUnattended = No
    >>state.cpp(1020)Original State ******************************
    >>state.cpp(1021)WasTSInstalled = No
    >>state.cpp(1022)WasTSEnabled = No
    >>state.cpp(1023)OriginalPermMode = WIN2K
    >>state.cpp(1037)Original TS Mode = TS Disabled
    >>state.cpp(1050)Current State ******************************
    >>state.cpp(1065)New TS Mode = Personal TS
    >>state.cpp(1075)New Permissions Mode = PERM_WIN2K
    >>state.cpp(1084)New Connections Allowed = False
    >>hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
    >>
    >>hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
    >>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
    >>hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
    >>
    >>hydraoc.cpp(188)Entering OC_QUERY_STATE
    >>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    >>hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
    >>SubcompOff
    >>hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
    >>
    >>hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
    >>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
    >>subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
    >>subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
    >>section
    >>= <TerminalServices.FreshInstall.pro>
    >>subcomp.cpp(172)Calculating disk space for add section =
    >>TerminalServices.FreshInstall.pro
    >>hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
    >>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    >>
    >>I have lots more data!
    >>
    >>Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
    >>Some weird Microsoft copy protection gone bad (desktop not yet validated
    >>since I keep rebuilding....laptop shouldn't be an issue)
    >
    > --
    > First, you are not crackers. this is a very nasty bug that thankfully does
    > not seem to be widespread.
    > My sytem is infected with it also and I came here to find out how to get
    > rid
    > of it.
    > As far as wiping the hard drive it doesn't work. I Have personaly
    > increased
    > the value of Segate stock
    > because of this nasty bug.
    > there is a file called delete driver; called from a DODONt.bat
    > It removes your driver and repaces it with it's own driver which
    > reinstalls
    > of oos
    > held in the upper memory of DOS.
    > I am trying to figure out how to get my driver back into DOS
    > Ithe delete driver command looks like this;
    > cd\
    > wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
    > if exist "%1" rd /s /q "%1"
    >
    >
    >
    >
    > REM this file called
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Mike,

    Anyway to boot of a XP setup disk and break into a command prompt to insure
    it isn't reading a unattend file? Or force a setup wipe everything (format
    in setup doesn't work)?

    Great suggestion on the low-level, unfortunatley since nothing detects this
    "problem" I have no way to know if I have a clean disk. I initally went to
    Kinko's to download tools, but am no wondering if my current issues are from
    Kinko's....either viral or strange group policy settings. And, even if I
    could get a clean floppy, it appears to infect the DMI so prevents doing
    anything to the disk....formats don't work (although maybe the hardware guys
    can do something directly and I will try it).

    Other information for any that care:
    Delete partition through setup (and create a new, different size partition)
    doesn't work (log files dated from before installation). Seems to be
    "mirrored" somewhere. Did find references to a "SunDisk" shadow??

    Uses Performance Counters, Speech interface, SWflash, Media Encoding, .NET,
    java and VSB. Looks like it runs Internet 4.0.

    Boots a "SR" service which seems to restore everything to the initial image.

    I think it encodes data with media encoding both to hide and to issue
    "speech" commands.

    Have "run into" a few websites that cause the browser to spit back a screen
    about my own configuration, i.e. PSP install details, listing server details
    which includes my IP. MS site failed because of my "web.config" which has
    set to "remote only", among other things (haven't been able to find this
    "web.config").

    well...pulling out my hair! While this is definately sophistocated, it isn't
    technically difficult, so surprised no one seems to have heard or seen
    anything like this.

    Please add anything if anyone knows anything about this!
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    To make any headway with this thing you are going to have to take back
    ownership of the files. It changes the registry completely.
    There is a software program inside it called ICE; it's a do not install file.

    It's a backdoor worm that changes the system files and registry. It runs
    through Real tech file. Go into services and turn off the sound. on both the
    local and extended.
    Once you turn off the sound you can access some of the files that keep
    telling you it is being used by another program.

    I'll tell you there is no easy fix for this one. It replaces all the drivers
    with it's own driver files. All Legacy

    There is hardly anything left of the original registry.
    The worm is hidden in the PC-Doctor files to begin with but it looks like it
    has replicated itself in several different file.. It's the service that is
    running as a user.
    In the Permissions it is listed as a user with a long number that is
    preceeded by the letter "S".
    It also has a backup restore file with asr keys Not to restore, files not to
    back up, keys not to restore.
    It has a file named Biosinfo, cmos handler, a boot verification program,
    something called Hall C state Hacks.

    there is a file named "secrets" that has all there passwords. Five preset
    users come with the worm.

    If your worm is not a later version of the one I have the same passwords
    might be in it;
    CupdTime
    CurrVal
    OldVal
    OupdTime
    SecDesc

    Looks like the first one has the most access.

    I don't know if you can see my post or not.

    If so, a reply would be nice.
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Mike,

    Software loaded;
    Adobe
    Agere
    Apple Computer, Inc.
    Avance
    BackWeb
    CO7ft5Y
    Classes
    Clients
    Detto Technologies Inc.
    Gemplus
    Genesys Logic
    HP
    Ice
    InstallShield
    INTEL
    InterMute
    InterVideo
    JavaSoft
    L&H
    Lead Technologies
    Microsoft
    MicroVision
    Motive
    MozillaPlugins
    muvee Technologies
    ODBC
    PC-Doctor
    Polices
    Python
    RealNetworks
    Realtec
    S3
    Schlumberger
    Secure
    Sonic
    Symantic
    Wilson WindowWare
    Windows 3.1 Migration Status
    Xing Technology Corp.


    --
    Message posted via WindowsKB.com
    http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
  11. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Merna,

    The list of software is irrelevant.

    Have you successfully reinstalled the OS and do you know you are clean ?
    If so then you should obviously be fully patched and also loaded with anti
    virus and anti spyware.
    Then add your product back from known clean media only.


    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Merna E via WindowsKB.com" <forum@WindowsKB.com> wrote in message
    news:50D586FB30E60@WindowsKB.com...
    > Mike,
    >
    > Software loaded;
    > Adobe
    > Agere
    > Apple Computer, Inc.
    > Avance
    > BackWeb
    > CO7ft5Y
    > Classes
    > Clients
    > Detto Technologies Inc.
    > Gemplus
    > Genesys Logic
    > HP
    > Ice
    > InstallShield
    > INTEL
    > InterMute
    > InterVideo
    > JavaSoft
    > L&H
    > Lead Technologies
    > Microsoft
    > MicroVision
    > Motive
    > MozillaPlugins
    > muvee Technologies
    > ODBC
    > PC-Doctor
    > Polices
    > Python
    > RealNetworks
    > Realtec
    > S3
    > Schlumberger
    > Secure
    > Sonic
    > Symantic
    > Wilson WindowWare
    > Windows 3.1 Migration Status
    > Xing Technology Corp.
    >
    >
    > --
    > Message posted via WindowsKB.com
    > http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
  12. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The worm fil;es are in the regs. When you look at the regs they look normal.
    Start removing some of the tweeks to the regs and the hidden regs show up.
    The partition is also set up in the regs. there are 4 major hotkeys, within
    each is a section of security regs, these alert the automated program to
    repair itself should any of its files become damaged or corrupted. At the
    base of these regs it always refers back to @mmsys.cpl-5848. These regs
    refuse to be removed. In the permissions they are owned by the system worm
    which has a long number preceeded by the letter "S" as it's user name. Even
    taking ownership of the file did not allow me to delete it. Inside the
    partition it has a set of "shells" of EX,M, and 98.
    It is designed to make you think you have that os, as you see the images of
    that os, yet the core of the program has been replaced with NT.5 There is
    nothing left of XP except the facia. When you try to reformat you are simply
    directed to the reinstallation of it's own os appropiate facia. All the files
    are stored in it's partition.
    There are tweeks to the regs to suppress the plug and play and direct
    everything related to your cd rom and other media drives back to the drivers
    in it's partition. which are tweeked to allow you to use your media for
    anything except installing os or anti-virus software.
    Every other line of code in the screen savers even ends with a .1; a line of
    the worms code. The worms is replicated over and over again inside the regs
    and in all of the files.
    There is a program called watch dog, and one called tim bomb,
    Apparently the watch dog keeps the worm files intact. I have seen several
    referances releasing files if the remote server does not log on by a specific
    time.
    The remote server logs on with the password "Raw".
    There is also a bunch of regs refering to a journal. By the time I found
    these regs the worm was already fighting me for control and I was unable to
    open the files. It has a Lockdown feature that refuses you the ability to
    search, edit or delete. It also has regs to disallow the emptying of the
    recycle bin.
    I sure hope someone is reading this and can help me figure out how to get rid
    of these presistant regs!
    After I had removes all of it's regs I could ( before it froze up regit) it
    started converting the regs to links.
    I'm way over my head here guys, could use some ideas.
    Thanks
  13. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Sorry, this web-tv browser dosen't let me see what i have written ubtil it's
    posted.
    Correction; The "Shells" in the regs are for the Local machine. It is set up
    with facia from XP both home and Pro , Millenium and 98.
    It seems to have the ability to pick up the facia of what ever od the victims
    machine is running.


    Mike,

    I can't re-install os as it won't recognise the cdrom.
    It keeps re-installing from the partition. Regs set up which disallow the
    format to wipe the partition. It is in protected storage regs.
    Partition is set up with persistent regs which it won't allow me to delete.
    Thanks


    --
    Message posted via WindowsKB.com
    http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
  14. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The Windows XP CD ROM IS bootable - you need to just set you BIOS to use the
    CD as the first boot drive (see you PC or motherboard/BIOS manual).
    This will run setup before anything else - you can then remove partitions
    and reformat etc. Then do a clean install.
    If you really want to low level format the harddisk too just follow the
    advice I have already provided

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    ""Merna E via WindowsKB.com"" <forum@WindowsKB.com> wrote in message
    news:50EC5366C9D27@WindowsKB.com...
    > Sorry, this web-tv browser dosen't let me see what i have written ubtil
    > it's
    > posted.
    > Correction; The "Shells" in the regs are for the Local machine. It is set
    > up
    > with facia from XP both home and Pro , Millenium and 98.
    > It seems to have the ability to pick up the facia of what ever od the
    > victims
    > machine is running.
    >
    >
    > Mike,
    >
    > I can't re-install os as it won't recognise the cdrom.
    > It keeps re-installing from the partition. Regs set up which disallow the
    > format to wipe the partition. It is in protected storage regs.
    > Partition is set up with persistent regs which it won't allow me to
    > delete.
    > Thanks
    >
    >
    > --
    > Message posted via WindowsKB.com
    > http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
  15. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi

    After reading this whole post i have to agree with Mike, disconnect
    this machine from any network, low level the drive or used debug(script
    on ms site for clearig partition table) from a known clean bootdisk to
    level all the partitions then leave machine powered off for 20 mins ish
    so there is no memory resident nasty

    then with known clean media boot from the the OS cd and create
    partitons and install, if you a mega paranoid enable any write
    protection to the cmos that your motherboard has and also any bios
    virus protection which oonly really prevents boot sector virus' but hey
    give it a go

    once this has been done there is no way unless from an outside source
    that this can be reinfected, unless and i dont know if this is possible
    but could the code reside in the cmos if so flash the bios of your
    motherboard with the latest version, or flash it agin if you have the
    latest version THEN enable write protection for the cmos

    another thing "It keeps re-installing from the partition" what on earth
    does this mean, is this a system with a backup partition on to recover
    from if so that may be infected but the above process will resolve that
    anyway

    Hope you fix it , logic dictates the above and previous advice from
    Mike if followed acuratley will remove the(hey make that ANY) virus

    HTH

    S


    --
    pscyimePosted from http://www.pcreview.co.uk/ newsgroup access
  16. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Great information! Thanks! This is exactly what I've been seeing...all legacy
    drivers, hotkeys, etc.

    6+ hours on the phone with symantec and microsoft and still haven't been
    able to reach anyone yet that knows more than I do:)

    Mike,

    Can't boot of the XP disk since CMOS changes don't take effect and disables
    cdrom boot (as Merina mentions). Might be able to boot off a floppy...but
    can't get download the files as it "filters" all downloads. And, I don't
    have a clean machine that I can execute files from (kino's computers don't
    allow it....maybe I'll check the library)....and finally, even if I can,
    since nothing detects this...can't be 100% that it's clean anyway...

    Actually appears to be an embeded NT or XP as a PXE (which would explain why
    the CMOS doesn't seem to change...lots of .rom, .ram and .bin files that I
    believe it uses to present a false CMOS).

    This can be verified by changing "secure boot" to 0 in registry and hitting
    F8...select anything...then hit F8 again immediately after it starts to boot.
    It loads a few files then gives you ANOTHER "boot option" screen.

    Install Linux (Linspire) and can see more of it....even changes fills and
    permissions there too...so maybe it's a linux PXE??

    Anyway from windows to trash/erase PXE?
  17. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Hi!

    I seem to have the same infection on my computer. Has anyone figured
    this out yet? Have you all managed to clean your machines without it
    coming back? I'd love to have more information.

    Thanks
    CR
  18. Quote:
    Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Great information! Thanks! This is exactly what I've been seeing...all legacy
    drivers, hotkeys, etc.

    6+ hours on the phone with symantec and microsoft and still haven't been
    able to reach anyone yet that knows more than I do:)

    Mike,

    Can't boot of the XP disk since CMOS changes don't take effect and disables
    cdrom boot (as Merina mentions). Might be able to boot off a floppy...but
    can't get download the files as it "filters" all downloads. And, I don't
    have a clean machine that I can execute files from (kino's computers don't
    allow it....maybe I'll check the library)....and finally, even if I can,
    since nothing detects this...can't be 100% that it's clean anyway...


    I know this is an old a$$ post but I have trashed 4 computers by this monster of all "worms" that's bullet proof! My files ... Even the "secret" where all passwords are located from a ton of users which log on even if I'm not on the net using fax and scanner and printer ports I assume is one way in along with event logs, windows defender, disk management, defrag,firewall and rundll.exe no matter where I am or how hard I try it cannot be stopped from acessing the net...and users sign in as services! I got mine from what clearwire told me over and over there driver USB is write protected and impossible.... Bulls/;t because I uploaded the set up file to virus total!! Even took hdd's and had them 0'ed and still come back! Even used hirens boot disc and got so frustrated pulled the hdd out booted up and found ram is infested.... It's like a nitemare and it's driven me to the brink of self destruction or get meds people say is needed
    when I tell them what these possesed machines do! I'd be so greatful if someone can assist removing this beast pleeeeeeeease!?


    Actually appears to be an embeded NT or XP as a PXE (which would explain why
    the CMOS doesn't seem to change...lots of .rom, .ram and .bin files that I
    believe it uses to present a false CMOS).

    This can be verified by changing "secure boot" to 0 in registry and hitting
    F8...select anything...then hit F8 again immediately after it starts to boot.
    It loads a few files then gives you ANOTHER "boot option" screen.

    Install Linux (Linspire) and can see more of it....even changes fills and
    permissions there too...so maybe it's a linux PXE??

    Anyway from windows to trash/erase PXE?
  19. I have no idea how my post ended up where it did so I'm gonna repost in hopes somebody can help!?

    I know this is an old a$$ post but I have trashed 4 computers by this monster of all "worms" that's bullet proof! My files ... Even the "secret" where all passwords are located from a ton of users which log on even if I'm not on the net using fax and scanner and printer ports I assume is one way in along with event logs, windows defender, disk management, defrag,firewall and rundll.exe no matter where I am or how hard I try it cannot be stopped from acessing the net...and users sign in as services! I got mine from what clearwire told me over and over there driver USB is write protected and impossible.... Bulls/;t because I uploaded the set up file to virus total!! Even took hdd's and had them 0'ed and still come back! Even used hirens boot disc and got so frustrated pulled the hdd out booted up and found ram is infested.... It's like a nitemare and it's driven me to the brink of self destruction or get meds people say is needed
    when I tell them what these possesed machines do! I'd be so greatful if someone can assist removing this beast pleeeeeeeease!?
Ask a new question

Read More

Trojan Windows XP