Trojan "changes" XP --> 2000 virtual machine??

[Guest]

I had a network of XP boxes (mix of home and professional) that seem to have
changed to NT or 2000 and is running IIS and Active Directory. I've been
working on this for three weeks and I'm starting to think I've developed some
parnoid delousion. Anyone else seen this? Can't seem to get rid of it with
a diskwipe and rebuild and bios flash.

I get non-standard error messages, don't have permission to things that I
should, can't delete or list somethings, get invalid file names w/ CD'ing to
a directory I can see, and see lots of pipes in TCPIP registry (a lot of
other strange things..shellscrap, appinst, etc.).

I've run "live" scans from Symantec, Panda, TrendMicro and run
demo/purchased products from Trend Micro and Symantec. None of them come up
with anything....but the log files seem to say they aren't scanning anything.


Security events seem to disappear as soon as I open the log and the clock
seems to be changing.

It also looks like my IDE hard drive and CD-rom are mounted as SCSI devices
under the MMC panel-->removable media. Reads of my CD seem like their coming
from the hard drive-->HD revs but no CD spin some times...maybe just cached?

There are also a TON of ftp/server/terminal executables I've never noticed
before and CMD window "blinks" but no output on <whateverstrange.exe> /?

Using Partition Comander I can see 4 "empties" that are invalid...and using
old Norton DOS utilities, I can see rsh stuff in the mbr record (although
that could've been from one of my utilities).

I also have a dosx and redirector runing and the "minimal" safe config loads
them as well with dmio and a bunch of other dm* dlls and many weird files
like:
C:\$winnt$.~1l
c:\windows\system32\lmrtrend.dll
c:\windows\system32\mswinsck.ocx
c:\windows\system32\jpiclp32.cpl

There were also a bunch of invalid certificates in my browser.

I know that my IO is now "programmed I/O" from Extended BIOS. I don't know
if that's how it was before ~Dec. 16th when I think I got this thing by
stupidly clicking on an activeX add-in for the MS Update website, even though
it looked a little funny (figure it was after the WINS announcement and was
spoofed...port 143,147-149 were open unfortunately on the firewall). Maybe
some small CMOS bug.

Anyone else seen this? I haven't looked at Windows this close since NT 4.0
so I'm probably just being paranoid.

By the way, I can also run "truename" (which I didn't realize I could do in
DOS) and get \\C.\A. for my floppy and something similar for my CD. the
command "Ver %os%" says Windows_NT and couldn't download virus software and
get the same MD5 checks (downloaded them at kinko's).

My "delusion" seems to spread everytime I copy or do any disk activity as
well as schedules various stuff even though I turn off scheduling service (no
obvious settings in RUN/RUNONCE/RUNAS in reg) and finally reboots itself.
Although I do have a "Mr. Enigma" reg folder with nothing in it or under it???

I'm about ready to check myself into a padded room so plese help me out if
you've seen this. I'm about 80% I had "something" on the network, but maybe
just KB886185 and now I've just spent too long on this.

Thanks!

 

[Tom H]

Your suspicions are correct --- you are completely insane. I recommend that
you try electroshock therapy, or perhaps a pre-frontal lobotomy. The new,
"next generation" type of lobotomy is much more selective --- it destroys a
region of the frontal lobe the size of a pea with a tiny RF probe --- it is
vastly superior to the old-fashioned, wholesale butchery of the connections
between the lobes that was the previously accepted practice. Good luck.

 

[Guest]

I have been able to narrow down this problem considerably and as such, the
subject doesn't really apply so I'll update in new thread (also realizing
that my post from 3am didn't make as much since as it seemed to at the time).

In summary, The machines have an "I/O controller" virus, which has been
stored somewhere in flash memory. I believe it's probably the video since
it's the first thing in the boot process (It disables CMOS recovery). This
"I/O controller" effectively hides a pretty big program spread across the
disk by sending back "bad I/O reads" if the read doesn't contain the correct
key (I determined this by "RTL" code that was written on the disk and parsed
with a hex dump). This larger program does all kinds of other bad stuff.
For more, see updated post "IO Controller Virus" (although I'm going to check
posts to make sure this hasn't been reported yet).

And thanks, Tom, I may still need to look into your suggestion soon!

 

[Guest]

--
N Lytnd

I had a network of XP boxes (mix of home and professional) that seem to have
changed to NT or 2000 and is running IIS and Active Directory. I've been
working on this for three weeks and I'm starting to think I've developed some
parnoid delousion. Anyone else seen this? Can't seem to get rid of it with
a diskwipe and rebuild and bios flash.

I get non-standard error messages, don't have permission to things that I
should, can't delete or list somethings, get invalid file names w/ CD'ing to
a directory I can see, and see lots of pipes in TCPIP registry (a lot of
other strange things..shellscrap, appinst, etc.).

I've run "live" scans from Symantec, Panda, TrendMicro and run
demo/purchased products from Trend Micro and Symantec. None of them come up
with anything....but the log files seem to say they aren't scanning anything.


Security events seem to disappear as soon as I open the log and the clock
seems to be changing.

It also looks like my IDE hard drive and CD-rom are mounted as SCSI devices
under the MMC panel-->removable media. Reads of my CD seem like their coming
from the hard drive-->HD revs but no CD spin some times...maybe just cached?

There are also a TON of ftp/server/terminal executables I've never noticed
before and CMD window "blinks" but no output on <whateverstrange.exe> /?

Using Partition Comander I can see 4 "empties" that are invalid...and using
old Norton DOS utilities, I can see rsh stuff in the mbr record (although
that could've been from one of my utilities).

I also have a dosx and redirector runing and the "minimal" safe config loads
them as well with dmio and a bunch of other dm* dlls and many weird files
like:
C:\$winnt$.~1l
c:\windows\system32\lmrtrend.dll
c:\windows\system32\mswinsck.ocx
c:\windows\system32\jpiclp32.cpl

There were also a bunch of invalid certificates in my browser.

I know that my IO is now "programmed I/O" from Extended BIOS. I don't know
if that's how it was before ~Dec. 16th when I think I got this thing by
stupidly clicking on an activeX add-in for the MS Update website, even though
it looked a little funny (figure it was after the WINS announcement and was
spoofed...port 143,147-149 were open unfortunately on the firewall). Maybe
some small CMOS bug.

Anyone else seen this? I haven't looked at Windows this close since NT 4.0
so I'm probably just being paranoid.

By the way, I can also run "truename" (which I didn't realize I could do in
DOS) and get \\C.\A. for my floppy and something similar for my CD. the
command "Ver %os%" says Windows_NT and couldn't download virus software and
get the same MD5 checks (downloaded them at kinko's).

My "delusion" seems to spread everytime I copy or do any disk activity as
well as schedules various stuff even though I turn off scheduling service (no
obvious settings in RUN/RUNONCE/RUNAS in reg) and finally reboots itself.
Although I do have a "Mr. Enigma" reg folder with nothing in it or under it???

I'm about ready to check myself into a padded room so plese help me out if
you've seen this. I'm about 80% I had "something" on the network, but maybe
just KB886185 and now I've just spent too long on this.

Thanks!