Sign in with
Sign up | Sign in
Your question

HELP! Terminal Service Trojan??

Last response: in Windows XP
Share
Anonymous
June 22, 2005 6:21:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::o nCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)
Anonymous
June 22, 2005 6:55:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

A few more details:

I think that this "thing" sits on a system partition it hijacks during setup
and then never tells the OS setup is finished so the system partition never
gets erased.

It is clearly also doing a system restore or backup at every boot to make
sure it comes back.

It also seems to create a shadow copy of itself. The OS reports I run out of
space for ocassional updates, when everything says I have 25+ gigs.

A number of the controls appear to be either java or .net "copies".

Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder
in c:\windows (unless that's an office thing). Seems to "encode" data into
media streams and use ADO. Setups updates services so the "terminal os" gets
patched versions of updates or doesn't install them (or uninstalls them).
Disables motherboard devices through invalid updates with smbios...maybe
firmware, which did ables any ability to boot first or get to the cmos on
some systems.

Caches software and then runs it through a host3g.dll or similar and looks
like it uses the processor performance counters to monitor things.

If your successful in getting the system partition removed, then you've also
removed your registry so it wont boot.

Creates $winnt$.inf where I think it may mount from??

I know this sounds a bit paranoid, but I have all the data....after months!
of banging my head.

please let me know if this is all really legit so I can stop looking at
this!!:) 
Anonymous
June 22, 2005 3:14:37 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
> I'll try to be brief and follow-up with a few more details in "reply"
> posting.
>
> It seems I have a trojan (or something...??) that I can't get rid of with
> a
> disk wipe.
> ...

If you believe you have something on your disk that is surviving a "disk
wipe" (this really depends on what you think you are doing and how you are
doing this) - then low level format the entire disk (you do this at your own
risk and must follow the manufacturers instruction for this process).

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
> I'll try to be brief and follow-up with a few more details in "reply"
> posting.
>
> It seems I have a trojan (or something...??) that I can't get rid of with
> a
> disk wipe.
>
> Why do I think I think I have a trojan?
> General weird behavior, admins don't have permission for everything,
> autoupdate doesn't always work, downloads appear to be "filtered" and
> replaced (certificates on downloads invalid, wrong files, etc.), viirus
> software is removed, weird port activity, and unfamilar "options" in
> software
> installed.
>
> Setup Process:
> =================
> Ghost &/or diskpartition secure disk wipe
> Install XP Home w/ two user accounts
> Install XP SP2 from MS disk (got in snail mail)
> Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
> Assoc)
> Set Passwords for all accounts including Administrator (using net cmd)
> Connect to Internet (through switch & firewalled gateway-->most ports
> blocked)
> Get all latest Updates
> Install Office 2003 Pro and get updates
> (also tried various changes to this process including bios/cmos resets)
> "Scans" are clean w/ software, internet website scans, and adaware/hotbot
> (believe TS scanned, not host)
>
> Results:
> =========
> PC appears to be added to a domain w/ AD. Users are <computername>\user
> Registry has Sidebyside .NET installations
> Templates and other components, like games, can't be removed through
> control
> panel settings
> Browser cache is "encrypted" and isn't removed through disk clean up or
> "clear cache"
>
> IME-chinese&japanese installed
> IEAK installed
>
> All devices are "legacy" and IDE is installed as SCSI
>
>
> Boot partition is set to: \device\harddrive1\
> Most hive files saved to: \device\harddrive1\ -- nothing in
> c:\windows\system32\config\
>
> Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
> to
> "CD_burning"
>
> HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
> \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
> binary data indicates \??\cdrom mounted on
> "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
> binary data indicates \??\genfloppy mounted on
> "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>
> Registry has HLM->system->Setup key with "allowstart" for
> AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>
> Safemode looks like there are chinese or japanese characters in the corner
>
> Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
> altered ACPI values?]
>
> and logs like: TSCOS.LOG
>
> Here's a snip-it
> ++++++++++++++++++++++++++++++++++
>
> *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
> *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>
> hydraoc.cpp(188)Entering OC_PREINITIALIZE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
> hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>
>
> hydraoc.cpp(188)Entering OC_INIT_COMPONENT
> hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> state.cpp(1006)Setup Parameters ****************************
> state.cpp(1007)We are running on Wks
> state.cpp(1008)Is this adv server No
> state.cpp(1009)Is this Personal (Home Edition) Yes
> state.cpp(1010)Is this SBS server No
> state.cpp(1011)IsStandAloneSetup = No
> state.cpp(1012)IsFreshInstall = Yes
> state.cpp(1013)IsTSFreshInstall = Yes
> state.cpp(1014)IsUnattendSetup = No
> state.cpp(1015)IsUpgradeFromTS40 = No
> state.cpp(1016)IsUpgradeFromNT50 = No
> state.cpp(1017)IsUpgradeFromNT51 = No
> state.cpp(1018)IsUnattended = No
> state.cpp(1020)Original State ******************************
> state.cpp(1021)WasTSInstalled = No
> state.cpp(1022)WasTSEnabled = No
> state.cpp(1023)OriginalPermMode = WIN2K
> state.cpp(1037)Original TS Mode = TS Disabled
> state.cpp(1050)Current State ******************************
> state.cpp(1065)New TS Mode = Personal TS
> state.cpp(1075)New Permissions Mode = PERM_WIN2K
> state.cpp(1084)New Connections Allowed = False
> hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>
> hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
> hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>
> hydraoc.cpp(188)Entering OC_QUERY_STATE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
> SubcompOff
> hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>
> hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> subcomp.cpp(153)In OCMSubComp::o nCalcDiskSpace for TerminalServices
> subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
> section
> = <TerminalServices.FreshInstall.pro>
> subcomp.cpp(172)Calculating disk space for add section =
> TerminalServices.FreshInstall.pro
> hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> I have lots more data!
>
> Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
> Some weird Microsoft copy protection gone bad (desktop not yet validated
> since I keep rebuilding....laptop shouldn't be an issue)
>
Related resources
Anonymous
June 22, 2005 3:14:38 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I guess what I mean to say is that it survives the "process" of a diskwipe.
(A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is
diskpartition). So either, something is booting off the disk and redirecting
IO or there is something in flash memory somewhere that comes back or some
combination.

So since this isn't some know MS thing, I'll start posting more liberally
around the web to see what I can find.

Anyway to verify my observations?

"Mike Brannigan [MSFT]" wrote:

> "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
> news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
> > I'll try to be brief and follow-up with a few more details in "reply"
> > posting.
> >
> > It seems I have a trojan (or something...??) that I can't get rid of with
> > a
> > disk wipe.
> > ...
>
> If you believe you have something on your disk that is surviving a "disk
> wipe" (this really depends on what you think you are doing and how you are
> doing this) - then low level format the entire disk (you do this at your own
> risk and must follow the manufacturers instruction for this process).
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "SRGriffin" <SRGriffin@discussions.microsoft.com> wrote in message
> news:F902D053-40D2-4264-AC12-332FB95F44C6@microsoft.com...
> > I'll try to be brief and follow-up with a few more details in "reply"
> > posting.
> >
> > It seems I have a trojan (or something...??) that I can't get rid of with
> > a
> > disk wipe.
> >
> > Why do I think I think I have a trojan?
> > General weird behavior, admins don't have permission for everything,
> > autoupdate doesn't always work, downloads appear to be "filtered" and
> > replaced (certificates on downloads invalid, wrong files, etc.), viirus
> > software is removed, weird port activity, and unfamilar "options" in
> > software
> > installed.
> >
> > Setup Process:
> > =================
> > Ghost &/or diskpartition secure disk wipe
> > Install XP Home w/ two user accounts
> > Install XP SP2 from MS disk (got in snail mail)
> > Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
> > Assoc)
> > Set Passwords for all accounts including Administrator (using net cmd)
> > Connect to Internet (through switch & firewalled gateway-->most ports
> > blocked)
> > Get all latest Updates
> > Install Office 2003 Pro and get updates
> > (also tried various changes to this process including bios/cmos resets)
> > "Scans" are clean w/ software, internet website scans, and adaware/hotbot
> > (believe TS scanned, not host)
> >
> > Results:
> > =========
> > PC appears to be added to a domain w/ AD. Users are <computername>\user
> > Registry has Sidebyside .NET installations
> > Templates and other components, like games, can't be removed through
> > control
> > panel settings
> > Browser cache is "encrypted" and isn't removed through disk clean up or
> > "clear cache"
> >
> > IME-chinese&japanese installed
> > IEAK installed
> >
> > All devices are "legacy" and IDE is installed as SCSI
> >
> >
> > Boot partition is set to: \device\harddrive1\
> > Most hive files saved to: \device\harddrive1\ -- nothing in
> > c:\windows\system32\config\
> >
> > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
> > to
> > "CD_burning"
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
> > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
> > binary data indicates \??\cdrom mounted on
> > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
> > binary data indicates \??\genfloppy mounted on
> > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> >
> > Registry has HLM->system->Setup key with "allowstart" for
> > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
> >
> > Safemode looks like there are chinese or japanese characters in the corner
> >
> > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
> > altered ACPI values?]
> >
> > and logs like: TSCOS.LOG
> >
> > Here's a snip-it
> > ++++++++++++++++++++++++++++++++++
> >
> > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
> > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
> >
> > hydraoc.cpp(188)Entering OC_PREINITIALIZE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
> > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
> >
> >
> > hydraoc.cpp(188)Entering OC_INIT_COMPONENT
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> > state.cpp(1006)Setup Parameters ****************************
> > state.cpp(1007)We are running on Wks
> > state.cpp(1008)Is this adv server No
> > state.cpp(1009)Is this Personal (Home Edition) Yes
> > state.cpp(1010)Is this SBS server No
> > state.cpp(1011)IsStandAloneSetup = No
> > state.cpp(1012)IsFreshInstall = Yes
> > state.cpp(1013)IsTSFreshInstall = Yes
> > state.cpp(1014)IsUnattendSetup = No
> > state.cpp(1015)IsUpgradeFromTS40 = No
> > state.cpp(1016)IsUpgradeFromNT50 = No
> > state.cpp(1017)IsUpgradeFromNT51 = No
> > state.cpp(1018)IsUnattended = No
> > state.cpp(1020)Original State ******************************
> > state.cpp(1021)WasTSInstalled = No
> > state.cpp(1022)WasTSEnabled = No
> > state.cpp(1023)OriginalPermMode = WIN2K
> > state.cpp(1037)Original TS Mode = TS Disabled
> > state.cpp(1050)Current State ******************************
> > state.cpp(1065)New TS Mode = Personal TS
> > state.cpp(1075)New Permissions Mode = PERM_WIN2K
> > state.cpp(1084)New Connections Allowed = False
> > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
> >
> > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
> >
> > hydraoc.cpp(188)Entering OC_QUERY_STATE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
> > SubcompOff
> > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
> >
> > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> > subcomp.cpp(153)In OCMSubComp::o nCalcDiskSpace for TerminalServices
> > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
> > section
> > = <TerminalServices.FreshInstall.pro>
> > subcomp.cpp(172)Calculating disk space for add section =
> > TerminalServices.FreshInstall.pro
> > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
> > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > I have lots more data!
> >
> > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
> > Some weird Microsoft copy protection gone bad (desktop not yet validated
> > since I keep rebuilding....laptop shouldn't be an issue)
> >
>
>
>
Anonymous
June 25, 2005 6:23:43 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

SRGriffin wrote:
>I'll try to be brief and follow-up with a few more details in "reply" posting.
>
>It seems I have a trojan (or something...??) that I can't get rid of with a
>disk wipe.
>
>Why do I think I think I have a trojan?
>General weird behavior, admins don't have permission for everything,
>autoupdate doesn't always work, downloads appear to be "filtered" and
>replaced (certificates on downloads invalid, wrong files, etc.), viirus
>software is removed, weird port activity, and unfamilar "options" in software
>installed.
>
>Setup Process:
>=================
>Ghost &/or diskpartition secure disk wipe
>Install XP Home w/ two user accounts
>Install XP SP2 from MS disk (got in snail mail)
>Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
>Set Passwords for all accounts including Administrator (using net cmd)
>Connect to Internet (through switch & firewalled gateway-->most ports blocked)
>Get all latest Updates
>Install Office 2003 Pro and get updates
>(also tried various changes to this process including bios/cmos resets)
>"Scans" are clean w/ software, internet website scans, and adaware/hotbot
>(believe TS scanned, not host)
>
>Results:
>=========
>PC appears to be added to a domain w/ AD. Users are <computername>\user
>Registry has Sidebyside .NET installations
>Templates and other components, like games, can't be removed through control
>panel settings
>Browser cache is "encrypted" and isn't removed through disk clean up or
>"clear cache"
>
>IME-chinese&japanese installed
>IEAK installed
>
>All devices are "legacy" and IDE is installed as SCSI
>
>Boot partition is set to: \device\harddrive1\
>Most hive files saved to: \device\harddrive1\ -- nothing in
>c:\windows\system32\config\
>
>Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
>"CD_burning"
>
>HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
>\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
>binary data indicates \??\cdrom mounted on
>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
>binary data indicates \??\genfloppy mounted on
>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>
>Registry has HLM->system->Setup key with "allowstart" for
>AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>
>Safemode looks like there are chinese or japanese characters in the corner
>
>Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
>altered ACPI values?]
>
>and logs like: TSCOS.LOG
>
>Here's a snip-it
>++++++++++++++++++++++++++++++++++
>
>*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
>*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>
>hydraoc.cpp(188)Entering OC_PREINITIALIZE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
>hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>
>hydraoc.cpp(188)Entering OC_INIT_COMPONENT
>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>state.cpp(1006)Setup Parameters ****************************
>state.cpp(1007)We are running on Wks
>state.cpp(1008)Is this adv server No
>state.cpp(1009)Is this Personal (Home Edition) Yes
>state.cpp(1010)Is this SBS server No
>state.cpp(1011)IsStandAloneSetup = No
>state.cpp(1012)IsFreshInstall = Yes
>state.cpp(1013)IsTSFreshInstall = Yes
>state.cpp(1014)IsUnattendSetup = No
>state.cpp(1015)IsUpgradeFromTS40 = No
>state.cpp(1016)IsUpgradeFromNT50 = No
>state.cpp(1017)IsUpgradeFromNT51 = No
>state.cpp(1018)IsUnattended = No
>state.cpp(1020)Original State ******************************
>state.cpp(1021)WasTSInstalled = No
>state.cpp(1022)WasTSEnabled = No
>state.cpp(1023)OriginalPermMode = WIN2K
>state.cpp(1037)Original TS Mode = TS Disabled
>state.cpp(1050)Current State ******************************
>state.cpp(1065)New TS Mode = Personal TS
>state.cpp(1075)New Permissions Mode = PERM_WIN2K
>state.cpp(1084)New Connections Allowed = False
>hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>
>hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>
>hydraoc.cpp(188)Entering OC_QUERY_STATE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
>SubcompOff
>hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>
>hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>subcomp.cpp(153)In OCMSubComp::o nCalcDiskSpace for TerminalServices
>subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
>= <TerminalServices.FreshInstall.pro>
>subcomp.cpp(172)Calculating disk space for add section =
>TerminalServices.FreshInstall.pro
>hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>I have lots more data!
>
>Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
>Some weird Microsoft copy protection gone bad (desktop not yet validated
>since I keep rebuilding....laptop shouldn't be an issue)

--
First, you are not crackers. this is a very nasty bug that thankfully does
not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes your driver and repaces it with it's own driver which reinstalls
of oos
held in the upper memory of DOS.
I am trying to figure out how to get my driver back into DOS
Ithe delete driver command looks like this;
cd\
wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"




REM this file called
Anonymous
June 25, 2005 6:55:25 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You are not crackers. It removes your cdrom drivers and repaces them
with a fake driver that links to it's hide away in DOS upper memory and just
re-installs
it's own modified version of whatever os you are running.

I have the same bug and have been hunting a fix for it.
I have trashed three computers and ruined coutless hard drives trying to get
rid of this nasty thing.
The Delete Driver file is called by device driver's DODONT.bat
looks like this;
cd\
wscript c;\hp\bin\WaitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"

No one has seen this thing. They all tell me I'm crackers it can't do that
but it did.
It takes advantage of several exploits, it's like three worms in one.
It is even running TaToo to infest jpg files.

Now this part no one believes but it's in there; I couldn'tfigure out how I
kept getting re-infested,
New puters, not hooked to internet and it would load at start up!
It opens a backdoor port to let a hacker in and he one the original
infestation must have somehow got into my HP Laserjet 5m
printer and changed the network configuration files on the printer.
So now I have to figure out how to clean that and the puter.

--
is a very nasty bug that thankfully does not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes
Anonymous
June 25, 2005 8:59:25 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The two languages you are seeing are regular
Chinese and simple Chinese.

I found most of the log files on it's instalation.
I found a list of all the files it deleted, I am not a computer guru though
and have no idea how to fix this mess I have.
I found a per1/cmd script File: Author kumarp 21-August-98
also there is a RPCRC.BAT that locates and changes the partition
It (the bug) changes Norton firewall and Virus detection, changed the windows
firwall,and diables the service [ack 2 patches.

I am stuck with web-tv so I can't cut and paste.
i wouldn't anyway as I don't want to give a complete road map
on how to build and run this monster. But if
someone at microsoft is will to help us i would be more than glad to print
this mess out and mail it to them.
Look for a file regopt it gives the unattended file path.

There is a file BDMI which shows buildId=44NAheBLW1
and sets a something called TATOO_VER=61
I checked the Stmantec site and this seems to be a file for encripting text
into jpg files.
Anyone know for sure what it is and what it does?

I don't know what else to say but hope someone can help us get rid of this
thing.
Thanks
Anonymous
June 25, 2005 10:23:24 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Create a bootable floppy on a known clean machine.
Boot from that and run the level low format tool from your harddisk vendor -
there is no way for anything to survive that.
then boot from the opertaing CD (know to be clean) and reinstall your OS.
Any further infection is caused by external infection or you're using
infected media or restoring infected data.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Merna E via WindowsKB.com" <forum@WindowsKB.com> wrote in message
news:505A71F75CA60@WindowsKB.com...
> SRGriffin wrote:
>>I'll try to be brief and follow-up with a few more details in "reply"
>>posting.
>>
>>It seems I have a trojan (or something...??) that I can't get rid of with
>>a
>>disk wipe.
>>
>>Why do I think I think I have a trojan?
>>General weird behavior, admins don't have permission for everything,
>>autoupdate doesn't always work, downloads appear to be "filtered" and
>>replaced (certificates on downloads invalid, wrong files, etc.), viirus
>>software is removed, weird port activity, and unfamilar "options" in
>>software
>>installed.
>>
>>Setup Process:
>>=================
>>Ghost &/or diskpartition secure disk wipe
>>Install XP Home w/ two user accounts
>>Install XP SP2 from MS disk (got in snail mail)
>>Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
>>Assoc)
>>Set Passwords for all accounts including Administrator (using net cmd)
>>Connect to Internet (through switch & firewalled gateway-->most ports
>>blocked)
>>Get all latest Updates
>>Install Office 2003 Pro and get updates
>>(also tried various changes to this process including bios/cmos resets)
>>"Scans" are clean w/ software, internet website scans, and adaware/hotbot
>>(believe TS scanned, not host)
>>
>>Results:
>>=========
>>PC appears to be added to a domain w/ AD. Users are <computername>\user
>>Registry has Sidebyside .NET installations
>>Templates and other components, like games, can't be removed through
>>control
>>panel settings
>>Browser cache is "encrypted" and isn't removed through disk clean up or
>>"clear cache"
>>
>>IME-chinese&japanese installed
>>IEAK installed
>>
>>All devices are "legacy" and IDE is installed as SCSI
>>
>>Boot partition is set to: \device\harddrive1\
>>Most hive files saved to: \device\harddrive1\ -- nothing in
>>c:\windows\system32\config\
>>
>>Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
>>to
>>"CD_burning"
>>
>>HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
>>\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
>>binary data indicates \??\cdrom mounted on
>>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>>\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
>>binary data indicates \??\genfloppy mounted on
>>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>>
>>Registry has HLM->system->Setup key with "allowstart" for
>>AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>>
>>Safemode looks like there are chinese or japanese characters in the corner
>>
>>Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
>>altered ACPI values?]
>>
>>and logs like: TSCOS.LOG
>>
>>Here's a snip-it
>>++++++++++++++++++++++++++++++++++
>>
>>*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
>>*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>>
>>hydraoc.cpp(188)Entering OC_PREINITIALIZE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
>>hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>>
>>hydraoc.cpp(188)Entering OC_INIT_COMPONENT
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>>state.cpp(1006)Setup Parameters ****************************
>>state.cpp(1007)We are running on Wks
>>state.cpp(1008)Is this adv server No
>>state.cpp(1009)Is this Personal (Home Edition) Yes
>>state.cpp(1010)Is this SBS server No
>>state.cpp(1011)IsStandAloneSetup = No
>>state.cpp(1012)IsFreshInstall = Yes
>>state.cpp(1013)IsTSFreshInstall = Yes
>>state.cpp(1014)IsUnattendSetup = No
>>state.cpp(1015)IsUpgradeFromTS40 = No
>>state.cpp(1016)IsUpgradeFromNT50 = No
>>state.cpp(1017)IsUpgradeFromNT51 = No
>>state.cpp(1018)IsUnattended = No
>>state.cpp(1020)Original State ******************************
>>state.cpp(1021)WasTSInstalled = No
>>state.cpp(1022)WasTSEnabled = No
>>state.cpp(1023)OriginalPermMode = WIN2K
>>state.cpp(1037)Original TS Mode = TS Disabled
>>state.cpp(1050)Current State ******************************
>>state.cpp(1065)New TS Mode = Personal TS
>>state.cpp(1075)New Permissions Mode = PERM_WIN2K
>>state.cpp(1084)New Connections Allowed = False
>>hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>>
>>hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>>hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>>
>>hydraoc.cpp(188)Entering OC_QUERY_STATE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>>hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
>>SubcompOff
>>hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>>
>>hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>>subcomp.cpp(153)In OCMSubComp::o nCalcDiskSpace for TerminalServices
>>subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
>>section
>>= <TerminalServices.FreshInstall.pro>
>>subcomp.cpp(172)Calculating disk space for add section =
>>TerminalServices.FreshInstall.pro
>>hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
>>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>>I have lots more data!
>>
>>Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
>>Some weird Microsoft copy protection gone bad (desktop not yet validated
>>since I keep rebuilding....laptop shouldn't be an issue)
>
> --
> First, you are not crackers. this is a very nasty bug that thankfully does
> not seem to be widespread.
> My sytem is infected with it also and I came here to find out how to get
> rid
> of it.
> As far as wiping the hard drive it doesn't work. I Have personaly
> increased
> the value of Segate stock
> because of this nasty bug.
> there is a file called delete driver; called from a DODONt.bat
> It removes your driver and repaces it with it's own driver which
> reinstalls
> of oos
> held in the upper memory of DOS.
> I am trying to figure out how to get my driver back into DOS
> Ithe delete driver command looks like this;
> cd\
> wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
> if exist "%1" rd /s /q "%1"
>
>
>
>
> REM this file called
Anonymous
June 30, 2005 6:24:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Mike,

Anyway to boot of a XP setup disk and break into a command prompt to insure
it isn't reading a unattend file? Or force a setup wipe everything (format
in setup doesn't work)?

Great suggestion on the low-level, unfortunatley since nothing detects this
"problem" I have no way to know if I have a clean disk. I initally went to
Kinko's to download tools, but am no wondering if my current issues are from
Kinko's....either viral or strange group policy settings. And, even if I
could get a clean floppy, it appears to infect the DMI so prevents doing
anything to the disk....formats don't work (although maybe the hardware guys
can do something directly and I will try it).

Other information for any that care:
Delete partition through setup (and create a new, different size partition)
doesn't work (log files dated from before installation). Seems to be
"mirrored" somewhere. Did find references to a "SunDisk" shadow??

Uses Performance Counters, Speech interface, SWflash, Media Encoding, .NET,
java and VSB. Looks like it runs Internet 4.0.

Boots a "SR" service which seems to restore everything to the initial image.

I think it encodes data with media encoding both to hide and to issue
"speech" commands.

Have "run into" a few websites that cause the browser to spit back a screen
about my own configuration, i.e. PSP install details, listing server details
which includes my IP. MS site failed because of my "web.config" which has
set to "remote only", among other things (haven't been able to find this
"web.config").

well...pulling out my hair! While this is definately sophistocated, it isn't
technically difficult, so surprised no one seems to have heard or seen
anything like this.

Please add anything if anyone knows anything about this!
Anonymous
July 4, 2005 5:34:14 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

To make any headway with this thing you are going to have to take back
ownership of the files. It changes the registry completely.
There is a software program inside it called ICE; it's a do not install file.

It's a backdoor worm that changes the system files and registry. It runs
through Real tech file. Go into services and turn off the sound. on both the
local and extended.
Once you turn off the sound you can access some of the files that keep
telling you it is being used by another program.

I'll tell you there is no easy fix for this one. It replaces all the drivers
with it's own driver files. All Legacy

There is hardly anything left of the original registry.
The worm is hidden in the PC-Doctor files to begin with but it looks like it
has replicated itself in several different file.. It's the service that is
running as a user.
In the Permissions it is listed as a user with a long number that is
preceeded by the letter "S".
It also has a backup restore file with asr keys Not to restore, files not to
back up, keys not to restore.
It has a file named Biosinfo, cmos handler, a boot verification program,
something called Hall C state Hacks.

there is a file named "secrets" that has all there passwords. Five preset
users come with the worm.

If your worm is not a later version of the one I have the same passwords
might be in it;
CupdTime
CurrVal
OldVal
OupdTime
SecDesc

Looks like the first one has the most access.

I don't know if you can see my post or not.

If so, a reply would be nice.
Anonymous
July 5, 2005 1:20:39 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Mike,

Software loaded;
Adobe
Agere
Apple Computer, Inc.
Avance
BackWeb
CO7ft5Y
Classes
Clients
Detto Technologies Inc.
Gemplus
Genesys Logic
HP
Ice
InstallShield
INTEL
InterMute
InterVideo
JavaSoft
L&H
Lead Technologies
Microsoft
MicroVision
Motive
MozillaPlugins
muvee Technologies
ODBC
PC-Doctor
Polices
Python
RealNetworks
Realtec
S3
Schlumberger
Secure
Sonic
Symantic
Wilson WindowWare
Windows 3.1 Migration Status
Xing Technology Corp.


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-sec...
Anonymous
July 5, 2005 3:17:00 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Merna,

The list of software is irrelevant.

Have you successfully reinstalled the OS and do you know you are clean ?
If so then you should obviously be fully patched and also loaded with anti
virus and anti spyware.
Then add your product back from known clean media only.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Merna E via WindowsKB.com" <forum@WindowsKB.com> wrote in message
news:50D586FB30E60@WindowsKB.com...
> Mike,
>
> Software loaded;
> Adobe
> Agere
> Apple Computer, Inc.
> Avance
> BackWeb
> CO7ft5Y
> Classes
> Clients
> Detto Technologies Inc.
> Gemplus
> Genesys Logic
> HP
> Ice
> InstallShield
> INTEL
> InterMute
> InterVideo
> JavaSoft
> L&H
> Lead Technologies
> Microsoft
> MicroVision
> Motive
> MozillaPlugins
> muvee Technologies
> ODBC
> PC-Doctor
> Polices
> Python
> RealNetworks
> Realtec
> S3
> Schlumberger
> Secure
> Sonic
> Symantic
> Wilson WindowWare
> Windows 3.1 Migration Status
> Xing Technology Corp.
>
>
> --
> Message posted via WindowsKB.com
> http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-sec...
Anonymous
July 6, 2005 8:13:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The worm fil;es are in the regs. When you look at the regs they look normal.
Start removing some of the tweeks to the regs and the hidden regs show up.
The partition is also set up in the regs. there are 4 major hotkeys, within
each is a section of security regs, these alert the automated program to
repair itself should any of its files become damaged or corrupted. At the
base of these regs it always refers back to @mmsys.cpl-5848. These regs
refuse to be removed. In the permissions they are owned by the system worm
which has a long number preceeded by the letter "S" as it's user name. Even
taking ownership of the file did not allow me to delete it. Inside the
partition it has a set of "shells" of EX,M, and 98.
It is designed to make you think you have that os, as you see the images of
that os, yet the core of the program has been replaced with NT.5 There is
nothing left of XP except the facia. When you try to reformat you are simply
directed to the reinstallation of it's own os appropiate facia. All the files
are stored in it's partition.
There are tweeks to the regs to suppress the plug and play and direct
everything related to your cd rom and other media drives back to the drivers
in it's partition. which are tweeked to allow you to use your media for
anything except installing os or anti-virus software.
Every other line of code in the screen savers even ends with a .1; a line of
the worms code. The worms is replicated over and over again inside the regs
and in all of the files.
There is a program called watch dog, and one called tim bomb,
Apparently the watch dog keeps the worm files intact. I have seen several
referances releasing files if the remote server does not log on by a specific
time.
The remote server logs on with the password "Raw".
There is also a bunch of regs refering to a journal. By the time I found
these regs the worm was already fighting me for control and I was unable to
open the files. It has a Lockdown feature that refuses you the ability to
search, edit or delete. It also has regs to disallow the emptying of the
recycle bin.
I sure hope someone is reading this and can help me figure out how to get rid
of these presistant regs!
After I had removes all of it's regs I could ( before it froze up regit) it
started converting the regs to links.
I'm way over my head here guys, could use some ideas.
Thanks
Anonymous
July 6, 2005 8:51:53 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Sorry, this web-tv browser dosen't let me see what i have written ubtil it's
posted.
Correction; The "Shells" in the regs are for the Local machine. It is set up
with facia from XP both home and Pro , Millenium and 98.
It seems to have the ability to pick up the facia of what ever od the victims
machine is running.


Mike,

I can't re-install os as it won't recognise the cdrom.
It keeps re-installing from the partition. Regs set up which disallow the
format to wipe the partition. It is in protected storage regs.
Partition is set up with persistent regs which it won't allow me to delete.
Thanks


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-sec...
Anonymous
July 7, 2005 12:10:48 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The Windows XP CD ROM IS bootable - you need to just set you BIOS to use the
CD as the first boot drive (see you PC or motherboard/BIOS manual).
This will run setup before anything else - you can then remove partitions
and reformat etc. Then do a clean install.
If you really want to low level format the harddisk too just follow the
advice I have already provided

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

""Merna E via WindowsKB.com"" <forum@WindowsKB.com> wrote in message
news:50EC5366C9D27@WindowsKB.com...
> Sorry, this web-tv browser dosen't let me see what i have written ubtil
> it's
> posted.
> Correction; The "Shells" in the regs are for the Local machine. It is set
> up
> with facia from XP both home and Pro , Millenium and 98.
> It seems to have the ability to pick up the facia of what ever od the
> victims
> machine is running.
>
>
> Mike,
>
> I can't re-install os as it won't recognise the cdrom.
> It keeps re-installing from the partition. Regs set up which disallow the
> format to wipe the partition. It is in protected storage regs.
> Partition is set up with persistent regs which it won't allow me to
> delete.
> Thanks
>
>
> --
> Message posted via WindowsKB.com
> http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-sec...
Anonymous
July 7, 2005 1:30:35 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi

After reading this whole post i have to agree with Mike, disconnect
this machine from any network, low level the drive or used debug(script
on ms site for clearig partition table) from a known clean bootdisk to
level all the partitions then leave machine powered off for 20 mins ish
so there is no memory resident nasty

then with known clean media boot from the the OS cd and create
partitons and install, if you a mega paranoid enable any write
protection to the cmos that your motherboard has and also any bios
virus protection which oonly really prevents boot sector virus' but hey
give it a go

once this has been done there is no way unless from an outside source
that this can be reinfected, unless and i dont know if this is possible
but could the code reside in the cmos if so flash the bios of your
motherboard with the latest version, or flash it agin if you have the
latest version THEN enable write protection for the cmos

another thing "It keeps re-installing from the partition" what on earth
does this mean, is this a system with a backup partition on to recover
from if so that may be infected but the above process will resolve that
anyway

Hope you fix it , logic dictates the above and previous advice from
Mike if followed acuratley will remove the(hey make that ANY) virus

HTH

S


--
pscyimePosted from http://www.pcreview.co.uk/ newsgroup access
Anonymous
July 28, 2005 6:25:05 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Great information! Thanks! This is exactly what I've been seeing...all legacy
drivers, hotkeys, etc.

6+ hours on the phone with symantec and microsoft and still haven't been
able to reach anyone yet that knows more than I do:) 

Mike,

Can't boot of the XP disk since CMOS changes don't take effect and disables
cdrom boot (as Merina mentions). Might be able to boot off a floppy...but
can't get download the files as it "filters" all downloads. And, I don't
have a clean machine that I can execute files from (kino's computers don't
allow it....maybe I'll check the library)....and finally, even if I can,
since nothing detects this...can't be 100% that it's clean anyway...

Actually appears to be an embeded NT or XP as a PXE (which would explain why
the CMOS doesn't seem to change...lots of .rom, .ram and .bin files that I
believe it uses to present a false CMOS).

This can be verified by changing "secure boot" to 0 in registry and hitting
F8...select anything...then hit F8 again immediately after it starts to boot.
It loads a few files then gives you ANOTHER "boot option" screen.

Install Linux (Linspire) and can see more of it....even changes fills and
permissions there too...so maybe it's a linux PXE??

Anyway from windows to trash/erase PXE?
Anonymous
August 27, 2005 6:14:01 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi!

I seem to have the same infection on my computer. Has anyone figured
this out yet? Have you all managed to clean your machines without it
coming back? I'd love to have more information.

Thanks
CR
June 16, 2012 4:01:42 AM

Quote:
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Great information! Thanks! This is exactly what I've been seeing...all legacy
drivers, hotkeys, etc.

6+ hours on the phone with symantec and microsoft and still haven't been
able to reach anyone yet that knows more than I do:) 

Mike,

Can't boot of the XP disk since CMOS changes don't take effect and disables
cdrom boot (as Merina mentions). Might be able to boot off a floppy...but
can't get download the files as it "filters" all downloads. And, I don't
have a clean machine that I can execute files from (kino's computers don't
allow it....maybe I'll check the library)....and finally, even if I can,
since nothing detects this...can't be 100% that it's clean anyway...



I know this is an old a$$ post but I have trashed 4 computers by this monster of all "worms" that's bullet proof! My files ... Even the "secret" where all passwords are located from a ton of users which log on even if I'm not on the net using fax and scanner and printer ports I assume is one way in along with event logs, windows defender, disk management, defrag,firewall and rundll.exe no matter where I am or how hard I try it cannot be stopped from acessing the net...and users sign in as services! I got mine from what clearwire told me over and over there driver USB is write protected and impossible.... Bulls/;t because I uploaded the set up file to virus total!! Even took hdd's and had them 0'ed and still come back! Even used hirens boot disc and got so frustrated pulled the hdd out booted up and found ram is infested.... It's like a nitemare and it's driven me to the brink of self destruction or get meds people say is needed
when I tell them what these possesed machines do! I'd be so greatful if someone can assist removing this beast pleeeeeeeease!?


Actually appears to be an embeded NT or XP as a PXE (which would explain why
the CMOS doesn't seem to change...lots of .rom, .ram and .bin files that I
believe it uses to present a false CMOS).

This can be verified by changing "secure boot" to 0 in registry and hitting
F8...select anything...then hit F8 again immediately after it starts to boot.
It loads a few files then gives you ANOTHER "boot option" screen.

Install Linux (Linspire) and can see more of it....even changes fills and
permissions there too...so maybe it's a linux PXE??

Anyway from windows to trash/erase PXE?

June 16, 2012 4:08:58 AM

I have no idea how my post ended up where it did so I'm gonna repost in hopes somebody can help!?

I know this is an old a$$ post but I have trashed 4 computers by this monster of all "worms" that's bullet proof! My files ... Even the "secret" where all passwords are located from a ton of users which log on even if I'm not on the net using fax and scanner and printer ports I assume is one way in along with event logs, windows defender, disk management, defrag,firewall and rundll.exe no matter where I am or how hard I try it cannot be stopped from acessing the net...and users sign in as services! I got mine from what clearwire told me over and over there driver USB is write protected and impossible.... Bulls/;t because I uploaded the set up file to virus total!! Even took hdd's and had them 0'ed and still come back! Even used hirens boot disc and got so frustrated pulled the hdd out booted up and found ram is infested.... It's like a nitemare and it's driven me to the brink of self destruction or get meds people say is needed
when I tell them what these possesed machines do! I'd be so greatful if someone can assist removing this beast pleeeeeeeease!?
!