G
Guest
I had a network of XP boxes (mix of home and professional) that seem to have
changed to NT or 2000 and is running IIS and Active Directory. I've been
working on this for three weeks and I'm starting to think I've developed some
parnoid delousion. Anyone else seen this? Can't seem to get rid of it with
a diskwipe and rebuild and bios flash.
I get non-standard error messages, don't have permission to things that I
should, can't delete or list somethings, get invalid file names w/ CD'ing to
a directory I can see, and see lots of pipes in TCPIP registry (a lot of
other strange things..shellscrap, appinst, etc.).
I've run "live" scans from Symantec, Panda, TrendMicro and run
demo/purchased products from Trend Micro and Symantec. None of them come up
with anything....but the log files seem to say they aren't scanning anything.
Security events seem to disappear as soon as I open the log and the clock
seems to be changing.
It also looks like my IDE hard drive and CD-rom are mounted as SCSI devices
under the MMC panel-->removable media. Reads of my CD seem like their coming
from the hard drive-->HD revs but no CD spin some times...maybe just cached?
There are also a TON of ftp/server/terminal executables I've never noticed
before and CMD window "blinks" but no output on <whateverstrange.exe> /?
Using Partition Comander I can see 4 "empties" that are invalid...and using
old Norton DOS utilities, I can see rsh stuff in the mbr record (although
that could've been from one of my utilities).
I also have a dosx and redirector runing and the "minimal" safe config loads
them as well with dmio and a bunch of other dm* dlls and many weird files
like:
C:\$winnt$.~1l
c:\windows\system32\lmrtrend.dll
c:\windows\system32\mswinsck.ocx
c:\windows\system32\jpiclp32.cpl
There were also a bunch of invalid certificates in my browser.
I know that my IO is now "programmed I/O" from Extended BIOS. I don't know
if that's how it was before ~Dec. 16th when I think I got this thing by
stupidly clicking on an activeX add-in for the MS Update website, even though
it looked a little funny (figure it was after the WINS announcement and was
spoofed...port 143,147-149 were open unfortunately on the firewall). Maybe
some small CMOS bug.
Anyone else seen this? I haven't looked at Windows this close since NT 4.0
so I'm probably just being paranoid.
By the way, I can also run "truename" (which I didn't realize I could do in
DOS) and get \\C.\A. for my floppy and something similar for my CD. the
command "Ver %os%" says Windows_NT and couldn't download virus software and
get the same MD5 checks (downloaded them at kinko's).
My "delusion" seems to spread everytime I copy or do any disk activity as
well as schedules various stuff even though I turn off scheduling service (no
obvious settings in RUN/RUNONCE/RUNAS in reg) and finally reboots itself.
Although I do have a "Mr. Enigma" reg folder with nothing in it or under it???
I'm about ready to check myself into a padded room so plese help me out if
you've seen this. I'm about 80% I had "something" on the network, but maybe
just KB886185 and now I've just spent too long on this.
Thanks!
changed to NT or 2000 and is running IIS and Active Directory. I've been
working on this for three weeks and I'm starting to think I've developed some
parnoid delousion. Anyone else seen this? Can't seem to get rid of it with
a diskwipe and rebuild and bios flash.
I get non-standard error messages, don't have permission to things that I
should, can't delete or list somethings, get invalid file names w/ CD'ing to
a directory I can see, and see lots of pipes in TCPIP registry (a lot of
other strange things..shellscrap, appinst, etc.).
I've run "live" scans from Symantec, Panda, TrendMicro and run
demo/purchased products from Trend Micro and Symantec. None of them come up
with anything....but the log files seem to say they aren't scanning anything.
Security events seem to disappear as soon as I open the log and the clock
seems to be changing.
It also looks like my IDE hard drive and CD-rom are mounted as SCSI devices
under the MMC panel-->removable media. Reads of my CD seem like their coming
from the hard drive-->HD revs but no CD spin some times...maybe just cached?
There are also a TON of ftp/server/terminal executables I've never noticed
before and CMD window "blinks" but no output on <whateverstrange.exe> /?
Using Partition Comander I can see 4 "empties" that are invalid...and using
old Norton DOS utilities, I can see rsh stuff in the mbr record (although
that could've been from one of my utilities).
I also have a dosx and redirector runing and the "minimal" safe config loads
them as well with dmio and a bunch of other dm* dlls and many weird files
like:
C:\$winnt$.~1l
c:\windows\system32\lmrtrend.dll
c:\windows\system32\mswinsck.ocx
c:\windows\system32\jpiclp32.cpl
There were also a bunch of invalid certificates in my browser.
I know that my IO is now "programmed I/O" from Extended BIOS. I don't know
if that's how it was before ~Dec. 16th when I think I got this thing by
stupidly clicking on an activeX add-in for the MS Update website, even though
it looked a little funny (figure it was after the WINS announcement and was
spoofed...port 143,147-149 were open unfortunately on the firewall). Maybe
some small CMOS bug.
Anyone else seen this? I haven't looked at Windows this close since NT 4.0
so I'm probably just being paranoid.
By the way, I can also run "truename" (which I didn't realize I could do in
DOS) and get \\C.\A. for my floppy and something similar for my CD. the
command "Ver %os%" says Windows_NT and couldn't download virus software and
get the same MD5 checks (downloaded them at kinko's).
My "delusion" seems to spread everytime I copy or do any disk activity as
well as schedules various stuff even though I turn off scheduling service (no
obvious settings in RUN/RUNONCE/RUNAS in reg) and finally reboots itself.
Although I do have a "Mr. Enigma" reg folder with nothing in it or under it???
I'm about ready to check myself into a padded room so plese help me out if
you've seen this. I'm about 80% I had "something" on the network, but maybe
just KB886185 and now I've just spent too long on this.
Thanks!