HELP! Terminal Service Trojan??

[Guest]

I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

 

[Guest]

A few more details:

I think that this "thing" sits on a system partition it hijacks during setup
and then never tells the OS setup is finished so the system partition never
gets erased.

It is clearly also doing a system restore or backup at every boot to make
sure it comes back.

It also seems to create a shadow copy of itself. The OS reports I run out of
space for ocassional updates, when everything says I have 25+ gigs.

A number of the controls appear to be either java or .net "copies".

Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder
in c:\windows (unless that's an office thing). Seems to "encode" data into
media streams and use ADO. Setups updates services so the "terminal os" gets
patched versions of updates or doesn't install them (or uninstalls them).
Disables motherboard devices through invalid updates with smbios...maybe
firmware, which did ables any ability to boot first or get to the cmos on
some systems.

Caches software and then runs it through a host3g.dll or similar and looks
like it uses the processor performance counters to monitor things.

If your successful in getting the system partition removed, then you've also
removed your registry so it wont boot.

Creates $winnt$.inf where I think it may mount from??

I know this sounds a bit paranoid, but I have all the data....after months!
of banging my head.

please let me know if this is all really legit so I can stop looking at
this!!

 

[Mike Brannigan [MSFT]]

I'll try to be brief and follow-up with a few more details in "reply"
posting.

It seems I have a trojan (or something...??) that I can't get rid of with
a
disk wipe.
...

If you believe you have something on your disk that is surviving a "disk
wipe" (this really depends on what you think you are doing and how you are
doing this) - then low level format the entire disk (you do this at your own
risk and must follow the manufacturers instruction for this process).

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

I'll try to be brief and follow-up with a few more details in "reply"
posting.

It seems I have a trojan (or something...??) that I can't get rid of with
a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in
software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports
blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through
control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

 

[Guest]

I guess what I mean to say is that it survives the "process" of a diskwipe.
(A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is
diskpartition). So either, something is booting off the disk and redirecting
IO or there is something in flash memory somewhere that comes back or some
combination.

So since this isn't some know MS thing, I'll start posting more liberally
around the web to see what I can find.

Anyway to verify my observations?

I'll try to be brief and follow-up with a few more details in "reply"
posting.

It seems I have a trojan (or something...??) that I can't get rid of with
a
disk wipe.
...

If you believe you have something on your disk that is surviving a "disk
wipe" (this really depends on what you think you are doing and how you are
doing this) - then low level format the entire disk (you do this at your own
risk and must follow the manufacturers instruction for this process).

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

I'll try to be brief and follow-up with a few more details in "reply"
posting.

It seems I have a trojan (or something...??) that I can't get rid of with
a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in
software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports
blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through
control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

 

[Merna E via WindowsKB.com]

I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI

Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1

hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

--
First, you are not crackers. this is a very nasty bug that thankfully does
not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes your driver and repaces it with it's own driver which reinstalls
of oos
held in the upper memory of DOS.
I am trying to figure out how to get my driver back into DOS
Ithe delete driver command looks like this;
cd\
wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"




REM this file called

 

[Merna E via WindowsKB.com]

You are not crackers. It removes your cdrom drivers and repaces them
with a fake driver that links to it's hide away in DOS upper memory and just
re-installs
it's own modified version of whatever os you are running.

I have the same bug and have been hunting a fix for it.
I have trashed three computers and ruined coutless hard drives trying to get
rid of this nasty thing.
The Delete Driver file is called by device driver's DODONT.bat
looks like this;
cd\
wscript c;\hp\bin\WaitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"

No one has seen this thing. They all tell me I'm crackers it can't do that
but it did.
It takes advantage of several exploits, it's like three worms in one.
It is even running TaToo to infest jpg files.

Now this part no one believes but it's in there; I couldn'tfigure out how I
kept getting re-infested,
New puters, not hooked to internet and it would load at start up!
It opens a backdoor port to let a hacker in and he one the original
infestation must have somehow got into my HP Laserjet 5m
printer and changed the network configuration files on the printer.
So now I have to figure out how to clean that and the puter.

--
is a very nasty bug that thankfully does not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes

 

[Merna E via WindowsKB.com]

The two languages you are seeing are regular
Chinese and simple Chinese.

I found most of the log files on it's instalation.
I found a list of all the files it deleted, I am not a computer guru though
and have no idea how to fix this mess I have.
I found a per1/cmd script File: Author kumarp 21-August-98
also there is a RPCRC.BAT that locates and changes the partition
It (the bug) changes Norton firewall and Virus detection, changed the windows
firwall,and diables the service [ack 2 patches.

I am stuck with web-tv so I can't cut and paste.
i wouldn't anyway as I don't want to give a complete road map
on how to build and run this monster. But if
someone at microsoft is will to help us i would be more than glad to print
this mess out and mail it to them.
Look for a file regopt it gives the unattended file path.

There is a file BDMI which shows buildId=44NAheBLW1
and sets a something called TATOO_VER=61
I checked the Stmantec site and this seems to be a file for encripting text
into jpg files.
Anyone know for sure what it is and what it does?

I don't know what else to say but hope someone can help us get rid of this
thing.
Thanks

 

[Mike Brannigan [MSFT]]

Create a bootable floppy on a known clean machine.
Boot from that and run the level low format tool from your harddisk vendor -
there is no way for anything to survive that.
then boot from the opertaing CD (know to be clean) and reinstall your OS.
Any further infection is caused by external infection or you're using
infected media or restoring infected data.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

I'll try to be brief and follow-up with a few more details in "reply"
posting.

It seems I have a trojan (or something...??) that I can't get rid of with
a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in
software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports
blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through
control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI

Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1

hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

--
First, you are not crackers. this is a very nasty bug that thankfully does
not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get
rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly
increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes your driver and repaces it with it's own driver which
reinstalls
of oos
held in the upper memory of DOS.
I am trying to figure out how to get my driver back into DOS
Ithe delete driver command looks like this;
cd\
wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"




REM this file called

 

[Guest]

Mike,

Anyway to boot of a XP setup disk and break into a command prompt to insure
it isn't reading a unattend file? Or force a setup wipe everything (format
in setup doesn't work)?

Great suggestion on the low-level, unfortunatley since nothing detects this
"problem" I have no way to know if I have a clean disk. I initally went to
Kinko's to download tools, but am no wondering if my current issues are from
Kinko's....either viral or strange group policy settings. And, even if I
could get a clean floppy, it appears to infect the DMI so prevents doing
anything to the disk....formats don't work (although maybe the hardware guys
can do something directly and I will try it).

Other information for any that care:
Delete partition through setup (and create a new, different size partition)
doesn't work (log files dated from before installation). Seems to be
"mirrored" somewhere. Did find references to a "SunDisk" shadow??

Uses Performance Counters, Speech interface, SWflash, Media Encoding, .NET,
java and VSB. Looks like it runs Internet 4.0.

Boots a "SR" service which seems to restore everything to the initial image.

I think it encodes data with media encoding both to hide and to issue
"speech" commands.

Have "run into" a few websites that cause the browser to spit back a screen
about my own configuration, i.e. PSP install details, listing server details
which includes my IP. MS site failed because of my "web.config" which has
set to "remote only", among other things (haven't been able to find this
"web.config").

well...pulling out my hair! While this is definately sophistocated, it isn't
technically difficult, so surprised no one seems to have heard or seen
anything like this.

Please add anything if anyone knows anything about this!

 

[Merna E via WindowsKB.com]

To make any headway with this thing you are going to have to take back
ownership of the files. It changes the registry completely.
There is a software program inside it called ICE; it's a do not install file.

It's a backdoor worm that changes the system files and registry. It runs
through Real tech file. Go into services and turn off the sound. on both the
local and extended.
Once you turn off the sound you can access some of the files that keep
telling you it is being used by another program.

I'll tell you there is no easy fix for this one. It replaces all the drivers
with it's own driver files. All Legacy

There is hardly anything left of the original registry.
The worm is hidden in the PC-Doctor files to begin with but it looks like it
has replicated itself in several different file.. It's the service that is
running as a user.
In the Permissions it is listed as a user with a long number that is
preceeded by the letter "S".
It also has a backup restore file with asr keys Not to restore, files not to
back up, keys not to restore.
It has a file named Biosinfo, cmos handler, a boot verification program,
something called Hall C state Hacks.

there is a file named "secrets" that has all there passwords. Five preset
users come with the worm.

If your worm is not a later version of the one I have the same passwords
might be in it;
CupdTime
CurrVal
OldVal
OupdTime
SecDesc

Looks like the first one has the most access.

I don't know if you can see my post or not.

If so, a reply would be nice.

 

[Merna E via WindowsKB.com]

Mike,

Software loaded;
Adobe
Agere
Apple Computer, Inc.
Avance
BackWeb
CO7ft5Y
Classes
Clients
Detto Technologies Inc.
Gemplus
Genesys Logic
HP
Ice
InstallShield
INTEL
InterMute
InterVideo
JavaSoft
L&H
Lead Technologies
Microsoft
MicroVision
Motive
MozillaPlugins
muvee Technologies
ODBC
PC-Doctor
Polices
Python
RealNetworks
Realtec
S3
Schlumberger
Secure
Sonic
Symantic
Wilson WindowWare
Windows 3.1 Migration Status
Xing Technology Corp.

 

[Mike Brannigan [MSFT]]

Merna,

The list of software is irrelevant.

Have you successfully reinstalled the OS and do you know you are clean ?
If so then you should obviously be fully patched and also loaded with anti
virus and anti spyware.
Then add your product back from known clean media only.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[\Merna E via WindowsKB.com\]

The worm fil;es are in the regs. When you look at the regs they look normal.
Start removing some of the tweeks to the regs and the hidden regs show up.
The partition is also set up in the regs. there are 4 major hotkeys, within
each is a section of security regs, these alert the automated program to
repair itself should any of its files become damaged or corrupted. At the
base of these regs it always refers back to @mmsys.cpl-5848. These regs
refuse to be removed. In the permissions they are owned by the system worm
which has a long number preceeded by the letter "S" as it's user name. Even
taking ownership of the file did not allow me to delete it. Inside the
partition it has a set of "shells" of EX,M, and 98.
It is designed to make you think you have that os, as you see the images of
that os, yet the core of the program has been replaced with NT.5 There is
nothing left of XP except the facia. When you try to reformat you are simply
directed to the reinstallation of it's own os appropiate facia. All the files
are stored in it's partition.
There are tweeks to the regs to suppress the plug and play and direct
everything related to your cd rom and other media drives back to the drivers
in it's partition. which are tweeked to allow you to use your media for
anything except installing os or anti-virus software.
Every other line of code in the screen savers even ends with a .1; a line of
the worms code. The worms is replicated over and over again inside the regs
and in all of the files.
There is a program called watch dog, and one called tim bomb,
Apparently the watch dog keeps the worm files intact. I have seen several
referances releasing files if the remote server does not log on by a specific
time.
The remote server logs on with the password "Raw".
There is also a bunch of regs refering to a journal. By the time I found
these regs the worm was already fighting me for control and I was unable to
open the files. It has a Lockdown feature that refuses you the ability to
search, edit or delete. It also has regs to disallow the emptying of the
recycle bin.
I sure hope someone is reading this and can help me figure out how to get rid
of these presistant regs!
After I had removes all of it's regs I could ( before it froze up regit) it
started converting the regs to links.
I'm way over my head here guys, could use some ideas.
Thanks

 

[\Merna E via WindowsKB.com\]

Sorry, this web-tv browser dosen't let me see what i have written ubtil it's
posted.
Correction; The "Shells" in the regs are for the Local machine. It is set up
with facia from XP both home and Pro , Millenium and 98.
It seems to have the ability to pick up the facia of what ever od the victims
machine is running.


Mike,

I can't re-install os as it won't recognise the cdrom.
It keeps re-installing from the partition. Regs set up which disallow the
format to wipe the partition. It is in protected storage regs.
Partition is set up with persistent regs which it won't allow me to delete.
Thanks

 

[Mike Brannigan [MSFT]]

The Windows XP CD ROM IS bootable - you need to just set you BIOS to use the
CD as the first boot drive (see you PC or motherboard/BIOS manual).
This will run setup before anything else - you can then remove partitions
and reformat etc. Then do a clean install.
If you really want to low level format the harddisk too just follow the
advice I have already provided

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

 

[pscyime]

Hi

After reading this whole post i have to agree with Mike, disconnect this machine from any network, low level the drive or used debug(script on ms site for clearig partition table) from a known clean bootdisk to level all the partitions then leave machine powered off for 20 mins ish so there is no memory resident nasty

then with known clean media boot from the the OS cd and create partitons and install, if you a mega paranoid enable any write protection to the cmos that your motherboard has and also any bios virus protection which oonly really prevents boot sector virus' but hey give it a go

once this has been done there is no way unless from an outside source that this can be reinfected, unless and i dont know if this is possible but could the code reside in the cmos if so flash the bios of your motherboard with the latest version, or flash it agin if you have the latest version THEN enable write protection for the cmos

another thing "It keeps re-installing from the partition" what on earth does this mean, is this a system with a backup partition on to recover from if so that may be infected but the above process will resolve that anyway

Hope you fix it , logic dictates the above and previous advice from Mike if followed acuratley will remove the(hey make that ANY) virus

HTH

S

 

[Guest]

Great information! Thanks! This is exactly what I've been seeing...all legacy
drivers, hotkeys, etc.

6+ hours on the phone with symantec and microsoft and still haven't been
able to reach anyone yet that knows more than I do

Mike,

Can't boot of the XP disk since CMOS changes don't take effect and disables
cdrom boot (as Merina mentions). Might be able to boot off a floppy...but
can't get download the files as it "filters" all downloads. And, I don't
have a clean machine that I can execute files from (kino's computers don't
allow it....maybe I'll check the library)....and finally, even if I can,
since nothing detects this...can't be 100% that it's clean anyway...

Actually appears to be an embeded NT or XP as a PXE (which would explain why
the CMOS doesn't seem to change...lots of .rom, .ram and .bin files that I
believe it uses to present a false CMOS).

This can be verified by changing "secure boot" to 0 in registry and hitting
F8...select anything...then hit F8 again immediately after it starts to boot.
It loads a few files then gives you ANOTHER "boot option" screen.

Install Linux (Linspire) and can see more of it....even changes fills and
permissions there too...so maybe it's a linux PXE??

Anyway from windows to trash/erase PXE?

 

[mrance]

I see your post and I read u loud and clear!!

Did you ever find a solution for this?? O have the same damn thing and I have been battling it for the past 3 months. I, too, brought brand new virgin disks in and still got reinfected. One other thing it seems to do is alter the BIOS and also created 63 hidden sectors (~5MB) on my new hard drive using one of the various utilities out there that does this...and so the MBR is placed in not at the very beginning of the disk and it writes some code, not sure what, to these hidden sectors...that much I am clear on.

Anyhow, you were struggling with this over a year so I am sure that you have gotten it licked by now so if you could kindly share that with me, I would be most appreciative. As a general statement, my observations of its behavior, and the results it yields, are essentially identical to what you have seen and stated here. What kind of idiot spends time writing software that simple irritates people and renders their machines useless? When I think of this person, or people, I keep askingthe question in my head "Who raised you?"

-Mark

 

[Bubba Catts]

OH MY GOD !!

I dont beleive it!
FINALLY!!!!!!!!!!!!

I was TAKEN HOSTAGE by this thing on Thanksgiving day 2004
it originaly was flagged by my AV as W32/Agobot-UE Worm

1t took over all 18 of my machines, PLUS the new gateway laptop i bought in
dec 04, after thinking i had a virus in my physical memory, and after that
was infected, i purchased a sony vaio media center machine dec 27 2004
and on the way home, stopped at barnes & nobles and used their internet and
installed all updates and patches, xp2 etc
EVERYTHING
THAT SAME NIGHT it was eaten also
after 22 hrs daily straight for over 2 months, i fired my tech.
EVERYONE thought i was going CRAZY and was making fun of me behind my back,
after i told them i was doing complete format and was infected BEFORE i ever
hooked to the internet
the damn thing was showing in the logs as connecting to ras via infrared
when one goes 4-5 months on 12-15 hours sleep a WEEK , that also starts
eating at you, not counting the fact i lost my high 5 figure yearly income
business .
i went so far as to remove completely ALL my wireless modems/hubs and my 2
cisco routers and wrap them in foil and put em in closet 80' away at other
end of the house.
i had printed out over 7,000 pages of logs (1/4 of which i still have)
i spent WELL OVER 500 HOURS just removing spaces and characters from the
shell files i opened in notepad to reveal some of what was coded, and the
shit i saw, was NOT put there by microsoft

in march 2005, i got desperate and posted a $5,000 reward on a private forum
i belonged to,for ANYONE that could give me the id of the person responsible.

I was gonna pay someone to make sure he never touched a pc again, since
would be missing a limb. I was NOT JOKING !!!!!!!!!!!!!!11
this is where it gets even more unbeleivable.
a guy called me from new orleans saying he was a hacker and that "john" told
him i needed help and that he was a friend of john, (which i did have a
friend named "john" on that forum), but i never bothered to check with him
1st as the hacker told me john was outta the country which is why he couldnt
help me himself
after offering him $1500 and a plane ticket , he arrived 2 days later and
stayed 30 hours at my house.
he types 150 wpm so therewas NO WAY i could follow everything he did.
again.... i WAS desperate, so i was very gullible at that point.
on the phone, he ASSURED me he could dissamble the worm in less than an hour
and what i did with the info, he didnt want to know about. i told him i
thought it was in the physical ram, and he said he had a fix for that, and
that there were maybe 5-7 guys in the world who was capable of creating that
type of worm
after he got here and started buzzing on his mac laptop 90 to nothing, i for
the 1st time in 5 months, felt a SIGH OF RELIEF!
i even told him i was hiring him to monitor my network for any future
attacks, as i was still capable of salvaging my business at that point.
he installed the hds from 5 of my MAIN machines with all my important data
and expensive programs into one machine that he converted into linux OS for
security reasons
he left the next day but still had 11 machines he hadnt cleaned yet, but
promised to return the next week to finish them
i started back on my business and i paid him the $500 weekly salary for
"monitoring" my network for 3 weeks, as he made excuses the 1st 2 weeks why
he couldnt come back yet
when he did come back, he started on the 11 machines i had ready for him,
but after the 3rd machine, he got my attention away and onto my T1 routers.
he talked me into letting him take one home with him to "study" it so he
could make SURE that i was NEVER compromised ever again
he had driven his NEW TRUCK he just bought, and as he showed it to me, i
happened to look on the dash and see a printout of MAPQUEST.COM with
directions from HIS HOUSE to MINE
something told me to do it, so i managed to make a copy of it and put it
back without him knowing it, cause lots of things were starting not to add
up
such as all the logs i had, he wouldnt look at one single page
even the one that showed the user WHEEBONG logging in to MY MACHINE and
accepting creditcard payments for PHOTOS that he uploaded.
i started thining after seeing that , that somone might be planting
childporn on my machines, and I got MORE paranoid (IF there WAS such a thing,
after the 5 months of HELL i went thru up to that point)
long story short, he never came to fix my remaing machines, he never
dissambled the worm for me, i caught him several times logged into my
machines on the "z" drive (which I have NEVER USED!)
I finally had to get my t-1 provider to change my IP block twice and bought
a new cisco router as he had the mac address from my old one, and also my
cable modem which i got a new one, as i could connect to my T and ipconfig
would show the ip and dns of my cable provider and vica versa, as he had
DHCP to run NO MATTER what ....SOMEHOW from hacking my router or whatever
after $40,000 + on software, machines,hardware,etc and over $500k in LOST
INCOME, LOTS of KNOWLEDGE in net security , and having 80% of EVERY security
software made, i finally lost my business.
after Katrina hit, i got to thinking, hmmmmm maybe his ass is in the gulf

so i returned the 2 newest machines to bestbuy with some bs reasons and got
2 new machines which i have used for 8 months now, and thinking that with ZA
security suite 2006, dcs wormguard,boclean, pestpatrol, spybot,dcs process
guard, pivx preempt, registry mechanic, security task mgr, wintasks pro,.
and a few more progs, i surley was SAFE
well........JUST as i slowly started getting my biz of the ground at maybe
1/20th of what it WAS, today i woke to find za detected a trojan
i started digging and DAMMITT
the files i havent looked in in God knows how long, there it was. the damn
terminal service trojan, and with a google, i FINALLY found out i wasnt the
only person going NUTZ !!
and SRGriffin, your post could be MINE with the username swapped.
EVERY SINGLE thing you posted, ive been thru, and sad to say have never
stopped it.
when i had let the FOX IN THE HENHOUSE, i do remember him telling my partly
WHY when i used factory restore disks, that the "D" and "E" drive wasnt
really being used, but that the trojan would somehow cache every
security/recovery program i tried and it was actually using ITS OWN VERSION.

THAT is WHY i was INFECTED after a complete reformat without ever connecting
to the net
ive tried norton partition magic and God knows how many others, and the hd
is NEVER EVER EVER completely wiped CLEAN,even though even a knowledgable
tech would bet his left nut it WAS!

these past few months i was in denial about seeing the the cd-rom cached to
CD_burning, the MOUNTED devices,the LEGACY drivers,the chinese ,japanese and
portugese , the Cal State HACKS, my ms updates not installing, and all the
other crap i dealt with and EVERYONE thought i was on drugs, or had just
completely LOST IT!
NOW I realize just how slow my sona vaio VGC-RA820Gdual processor with 1 g
ddr ram is running, compared to what it SHOULD BE, specially on 1.5 T1

SO........... here we go AGAIN...
this time, i wont let it affect my marriage or my mind, as any other guy ,if
they would have went thru what i went thru, (a lot i left out....... about
my Mother being on Life support for 3 weeks and passing and a lot of other
things that those alone would cause anyone to go insane)that they would have
already sucked the end of a 44

NOW that i KNOW Im not ALONE...... i WILL defeat this ass.
and BTW..... if anyone asks, "why havent i already taken care of the "fox in
the henhouse?". WELL.......... THAT WILL COME. I was just waiting till the
time is right

in the meantime,if ANYONE has experienced the SAME, please contact me if you
have found a fix

regards,

Bubba............

 

[Lanwench [MVP - Exchange]]

In

OH MY GOD !!

I dont beleive it!
FINALLY!!!!!!!!!!!!

I was TAKEN HOSTAGE by this thing on Thanksgiving day 2004
it originaly was flagged by my AV as W32/Agobot-UE Worm

<snip>

Ouch. My eyes began to hurt after the second paragraph, and I merely skimmed
the rest.

If you have a specific technical question, and are not merely amusing
yourself, please post it concisely and you will likely get a lot of help in
the newsgroups.

Another thing to mention is that you must ensure that the tinfoil wrapping
has the shiny side out.