HELP! Terminal Service Trojan??

[Kerry Brown]

Another thing to mention is that you must ensure that the tinfoil
wrapping has the shiny side out.

Actually after much experimentation I have found that aluminium foil with
the dull side out works best for stopping government rays and shiny side out
works best for stopping Alpha Centauri rays. Because of this you must use a
double layer.

 

[maggie anne]

Re: etc. Terminal Service Trojan??

I feel like Bubba,.......... FINALLY!!!!!

I have been fighting and chasing this unholy ghost for almost two years now. I don't know how soon, short of taking this machine out to the back yard and setting fire to it, I will find a fix, but at least now I know I am not just crazy and paranoid.

I found this site entirely by chance. I Googled the term "hydraoc", {which I found when poking around my machine - long story} which led me here. I can relate to every thing as described by =Utf etc., Marna and Bubba. I too, became really aware of the problem about Thanksgiving 2004. However, it seems that the real take over was 8/26/2004, after the snooping and set up on 8/4/2004.

Restores, Security Programs, Tech help were all worthless as was a new harddrive, {the old one wrapped in aluminum foil and tucked away}. I'm not kidding! The only thing the new hard drive did was give it more room to play in.

Soooo, I thought I'd fix 'em. I went out and bought a new machine. Thought I would just start over, clean and fresh. Wrong. "It" was there in a heartbeat.
Another long story. I had considered maybe changing ISP, from cable to DSL at the same time but didn't do it. That may have made a difference but at this time my machine is too taken over. "It" would probably love DSL too.

I too have reams of documentation. You guys might try checking out your "System Information". Bring up "System History" for Hardware, Components and Software. Mine shows a listing of all of the changes that this thing has made. Will share if anyone interested but for now I'm trying to keep this short.

Can't go, however until I comment on Mike Brannigan. His comments sounded like what I have heard so many times, the most recent of which was, "It'll be just like it came from the factory." Are they all in denial? Or what?

Now that I know that I'm not hallucinating, I am {again} considering passing this up to a higher power. No, not the Big Guy. The FBI. I don't know about you but I get the sense that there are financial transactions going on in the backroom some where and to go through these means, it can't be all legal.

So in the mean while, if any one has any info on this thing I'd be happy to hear.

 

[Wallie Green]

Looks like no posts for awhile - I have been dealing with this for 4 months
and was just ready to hire a P.I. for alot of miney - Most of your symptoms
sound familiar and I have already spent 3,000 on fees and new computers. Did
anyone find a cure for this? Pleas help - I have a business that has
suffered! Thanks

 

[Wallie Green]

Looks like no posts for awhile - I have been dealing with this for 4 months
and was just ready to hire a P.I. for alot of miney - Most of your symptoms
sound familiar and I have already spent 3,000 on fees and new computers. Did
anyone find a cure for this? Pleas help - I have a business that has
suffered! Thanks

 

[Harry Johnston]

Looks like no posts for awhile - I have been dealing with this for 4 months
and was just ready to hire a P.I. for alot of miney - Most of your symptoms
sound familiar and I have already spent 3,000 on fees and new computers. Did
anyone find a cure for this? Pleas help - I have a business that has
suffered! Thanks

The thread you're posting to has expired on the server, so there's no way for us
to tell what you are talking about. Please create a new post describing the
problem you are having.

Harry.

 

[cquirke (MVP Windows shell/user)]

On Tue, 10 Apr 2007 04:09:21 +0530, eidolen

4 Machines and 2 SOLID weeks into it I might just resign to living off
of Bart PE boot disks for the rest of my life. I thought I was nuts as
well scouring the web trying to find others with the same problem so I
could track down a fix.

What scanners are you using from Bart boot?

Are you using RunScanner with registry-aware tools?

Note that some tools are not applicable from Bart, either because they
read "live" behavior that isn't redirected via RunScanner (e.g.
anything that lists services and device drivers) or because what they
do is particular to live malware behavior (i.e. rootkit behavior
detectors, LSP Fix).

I see snippets here and there of the same symptoms but only the people
on this thread really understand what's going on.

I use Bart-based scanning regularly, and I use all the scanners I can
get hold of, because there's always something that one scanner picks
up that all of the others miss.

I also do look-don't-touch scans for commercial malware from Bart,
using AdAware, Spybot and A-Squared. I note what they find, then
repeat these scans to kill-and-q'tine from Safe Cmd when I've finished
the Bart processing.

The last things I do before exiting Bart to do Safe Cmd, are:

1) HiJackThis log, via RunScanner

I do this after the automated scans.

2) De-bulk hi-risk stores

I move *all* Temp and TIF subtrees from where they naturally reside,
to somewhere else on the HD, thus breaking any references to content
there. This will often, stop missed malware from running.

I also eyeball all StartUp, DPF and C:\ locations for oddballs,
managing these by moving them elsewhere.

3) Harvest spare registry hives, if needed

You can copy these out of C:\SVI...\RPxxx\Snapshot; this is the only
automated registry backup maintained by XP.

4) Scan ADS

From HiJackThis, you can scan for ADS. As at April 2007, code in ADS
have to be integrated to run automatically, so scanners may detect the
integration points, but I don't like to count on that.

5) Check logs

Check and summarize all logs from all scans, before booting HD for
first time. Look out for "detected but could not clean", and if you
see that, use Agent Ransack to find and rename-away (or move) the
offending code. Agent Ransack works from Bart.

spyware helper forums just ignore requests for help when people list
the symptoms of this worm as you never see a thread follwed through
where it was actually cleansed from the system.

I'm late-to-thread, so I don't know what symptoms or what worm you are
chasing. Clarify?

Final tip: If you can isolate the PC for a few days before scanning,
and then update all scanners just before you build the Bart CDR, you
may get the drop on malware that pulls new versions of itself every
hour or so. Keep the PC off ALL networks in Bart, Safe Cmd, etc.

I have spent the last 3 days manually cleaning out a registry on this
machine and I don't feel even half way done. The references made by the
OP are the exact same symptoms I have. It has installed IIS, SOAP, Fox
Pro, Olap, SUS, Access, etc.... Now that I read it's hiding code in
jpegs I feel that I will never get rid of it.

Has anyone made any progess at all on this or know if there are active
threads on how to deal with this? I mean do I just throw away my years
of data as I'm sure I'll just re-infect if there isn't a tool to
actually kill this thing.

You'd need to anticipate this scenario in terms of your data backup
management, so that "data" really is just data, without incoming crap
and infectable code included.

That means going several steps further than standard MS practice,
which is utterly clueless in this respect - they dump incoming
material from IE, MS Messenger etc. into My Documents, advise you to
keep code files in My Docs to avoid SR activity, and all MS email apps
hide attachments within mailboxes.

If your data, and data backups, do not include incoming material or
infectable code, then it's a bit safer to "just" wipe, rebuild, and
restore your data backups.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[Harry Johnston]

Backed up all my data on a 500gb usb drive.
Used Bart's Boot N Nuke with the DoD optioon.
Removed CMOS battery for an hour.
Installed Windows from factory CD.

No good!

You're not being very specific about what exactly goes wrong at this point, so
it's hard to advise you.

It is possible that the Windows CD you are using is compromised. According to
news reports counterfeit CDs are turning up in shops.

What sort of network are you using? Could it be compromised?

Harry.

 

[cquirke (MVP Windows shell/user)]

On Tue, 17 Apr 2007 20:26:52 +0530, eidolen

Unfortunately I am on the cusp of being out of steam to continue
persuing this anymore. As far as which tools I've tried I'd have to
respond..All of them. I have honestly tried every thing I can think of
so far but it's no good. I beleive that all of my Bart disks were
probably infected so I've never really had a clean environment to work
with in the first place.

OK, that's a problem if the Bart is built from an infected PC :-(

I'm really asking, in case you have some tools Bart'd that I haven't,
heh heh. Firth says "you can never have enough lice pictures", but
for me, I can never have enough Bart'ed tools ;-)

Backed up all my data on a 500gb usb drive.
Used Bart's Boot N Nuke with the DoD optioon.
Removed CMOS battery for an hour.
Installed Windows from factory CD.

No good!

At this point, I'd suspect:
- bad installation disk
- bad hardware

In fact, there's not a lot else in the frame... unless by "no good",
you mean you're getting a stable installation that's streaming out
malware traffic before anything else is installed.

In that case, I'd want to ensure you really are dealing only with the
PC, i.e. don't have a router exposed to WiFi, etc.

The list of Antivirus progs I've tried:
Antivir - Avast - Sophos - McCaffee - Comodo - Kaspersky (AOL ver) -
F-Prot - ClamWin - AVG - Trend Micro - DrWeb - Maybe others I forgot.

The list for spyware detection software I ran is just as comprehensive
so I won't list them. I am afraid to try any web based scans as they
all require IE with ActiveX enabled and I believe I would be
compromised further enabling that functionality.

IKWM. The only way I'd use an online scanner is to submit a suspect
file to the server to be scanned there.

Now, the real question remains....
Where is this thing living? I can understand that all of my machines
were compromised before I began, making it near impossible to work from
a clean environment but my attempt involving a new drive should have
worked unless it lives somwhere inside my BIOS or video card memory.

What's your router like? Many routers are in fact miniture Linux
boxen, and hackable accordingly.

 

[Harry Johnston]

My question is how to "flash" or check the validity of my bios, and

Probably not necessary. If you decide you need to, you'll need to consult the
documentation or web site provided by your computer vendor. The procedure is
specific to each model of computer.

secondly, if I take my original C drive, and move it to a different
"slot", put in a fresh drive in C and format that, will the infected
DRIVE cross contaminate other drives IF it is removed from ACTIVE
status?

Unlikely. Technically possible, e.g., if there is an unknown security fault in
the Windows file system drivers, but unlikely. It is possible that some of your
documents are infected and might infect the computer if they are opened, though
the potential damage would be limited if you open them using a
non-administrative user account which you can delete if necessary.

Harry.

 

[Steve]

Way Cool!!! Finally I found you guys. Where to begin?.... Phew, Let's just say it's be=
en 1 year, 5 months, 3 weeks, 6 days, 2 hours, and 13 minutes, I've been analyzing, diss=
ecting, mapping every move of your so called Terminal Trojan. That=E2=80=99s no, jo=
ke, and accurate to the very second, as I distinctly remember discovering the varmin=
t at exactly one minute before Midnight, December 31, 2005, when I noticed certain fi=
les already having a date stamp of 2006, before the computer bios clock had changed fr=
om 2005. Yes, happy f----ing New Years to Me. I have spent every agonizing, waking mom=
ent since, following the same steps each of you mention.

To give you a bit of my background, my first computer ran the Z80 processor, built some=
time in the Mid to late 70=E2=80=99s. I have a BS in computer science and have held engi=
neering / computer science professional roles in the business community for over 20=
years. Let=E2=80=99s just say, I=E2=80=99m not exactly a novice.

You=E2=80=99ve pretty much nailed it. Yes, each of you has in some form or fashion, de=
scribed in detail, any one of its various manifestations or identities. But yes, the=
re is much, MUCH more. I too, have mounds and MOUNDS of documentation, diagrams, note=
s, dates, times, lifecycles, etc. And if one more person tells me to low-level format=
, I=E2=80=99ll rip their head off. You see, this =E2=80=9Cthing=E2=80=9D is much mo=
re than just a computer virus. It lives, spreads and feeds as a micro organism and is tr=
ansmitted to any piece of hardware that can hold a bit of data for more than a micro seco=
nd and everything that contains a battery. That=E2=80=99s right; printers, faxes,=
switchboxes, cdroms=E2=80=A6 yes, that=E2=80=99s correct, not just your hard dri=
ve, it infects disk controllers, video controllers=E2=80=A6 the list goes on and on=
.. Linux boxes are not safe either; it establishes a non existent fd0 device where it ta=
kes its first foothold. That=E2=80=99s actually the most easily recognizable sign=
, but by then it=E2=80=99s actually too late to win the game on that box, you=E2=80=99=
re already toast.

Now, do I have the answer? I have a few, but I can assure you, I do NOT hold the magic key an=
d in fact, to this day, am still uncovering miniscule details of its inner workings an=
d consider it to be one of the most incredible, ingenious, single pieces of human marv=
el, I have ever seen, or will ever see in MY lifetime. Come on Microsoft, cough up some b=
ucks, we need the best of the best on this ASAP!

Although I would hang its creator by his (or her) balls till death, for the world to see=
, I can=E2=80=99t help but be amazed at the codes ability for utter survival. A truly a=
stonishing feat for the most veteran programmer and or engineer. So if you=E2=80=99=
re out there=E2=80=A6 reading this, tickled to death; keep in mind the fact that all g=
ood things must come to an end, and while you may still have the upper hand, your day wil=
l come, and those of us on the bandwagon of your destruction will be fierce, un-relent=
less, unforgiving unrivaled by your wildest imagination. So, go ahead, laugh all yo=
u want, you=E2=80=99re day WILL come.

Oh, and for everyone else, hit me up, we can chat. Maybe I can help you, maybe you can hel=
p me, but either way, I can assure you, no one will defeat it alone.

I=E2=80=99ll be back, let=E2=80=99s keep this going. I haven=E2=80=99t spent the l=
ast two years of my life for nothing and yes, I=E2=80=99m in the same boat with thousan=
ds and thousands, and THOUSANDS of lost dollars in hardware, software, business, da=
ta, time=E2=80=A6 you name it, I=E2=80=99ve lost it.

For now, I=E2=80=99m out; it=E2=80=99s late, and I=E2=80=99ve already spent yet an=
other 16 hours puzzled over the very item of discussion. Rest assured you=E2=80=99r=
e NOT alone!

-S

 

[Steve]

Is this topic still open?

 

[cquirke (MVP Windows shell/user)]

Is this topic still open?

Yep

 

[matthew]

http://www.ureader.com/message/1021417.aspx

Hey there - I think I have this same issue. Have there been any updates?
Does it have a name? A way to get rid of it?

 

[Lanwench [MVP - Exchange]]

URL snipped.

Hey there - I think I have this same issue. Have there been any
updates? Does it have a name? A way to get rid of it?

Hi - if this is for real, please post the text in your message body rather
than including a link.

Help us to help you:
http://www.dts-l.org/goodpost.htm
http://www.microsoft.com/presspass/features/2001/Mar01/Mar27pmvp.asp

Also here: http://aumha.org/nntp.htm

 

[omicron]

Does this look familiar?

It showed up in my log files on the 11th at 3:03 in the morning while I was sleeping... Ugh.

*******Initializing Message Log:tsoc.dll 11/11/09 03:04:13
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=Service Pack 3, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=???????
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = Yes
state.cpp(1012)IsFreshInstall = No
state.cpp(1013)IsTSFreshInstall = No
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = Yes
state.cpp(1022)WasTSEnabled = Yes
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1040)Original TS Mode = Personal TS
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0


hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0


hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2


hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(159)In OCMSubComp::OnCalcDiskSpace for TerminalServices
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0


hydraoc.cpp(188)Entering OC_CLEANUP
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(263)Error:StandAlone:TSOC Did not get OC_COMPLETE_INSTALLATION.
hydraoc.cpp(297)OC_CLEANUP Done. Returning 0


logmsg.cpp(42)********Terminating Log

It helped itself to a number of systems in my studio. NOTHING I have downloaded has been able to identify what it is, but it accessed my password database, and changed permissions on alot of files.

Bob