experchange > security

SRGriffin (04-16-05, 10:31 AM)
I have a small network of XP machines, mostly XP Home that appear to have an
Sus installation that propages to them. It looks like it installs an NT or
2000 headless boot (maybe XP embedded??) and gives me remote desktop that
looks exactly like XP, but has a lot of strange behavior (Looks like NT or
2000 is installed, all devices are legacy, network traffic is forwarded from
loopback to "host", don't seem too have full permissions, etc.)

I've been trying to figure this one out for months and keep thinking I'm
just paranoid. Not being an XP expert (silicon and systems design) it took
me awhile to find all the pieces I'm still sorting out.

I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
give me what's really on them or "read them". Downloaded packages are
"signed". but the time stamp is off by a year or more, and they contain
things they shouldn't.

The USB drivers I downloaded from ViaForum are filled with QFE fills for
instance.

Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
stuff into the BIOS DMI).

All virus scans and spyware come back negative, but have realized, at least
in some cases, it either kills the app I started (Norton 2005) and starts an
older version (Norton 2002) or else it scans a clean part of the disk only.
(There's some disk space I can't access and found some code that looked like
it would return a "sector error" w/o the key).

I know this sounds like the ultimate paranoid delusion, but I'm sure it's
there. Although to be fair, until December when this first started to become
obvious, my security inside the firewall was pretty terrible. Since I had
tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
-- it's possible someone or some program had a lot of time to set all this
stuff up. I also had 2003 server on the network, just to install (and
thought I had remove all the others from the network), and could have done
something then..although nothing intentional and certainly not too the extent
that I see (Like NT/2000 files).

My first question is: What's the cleanest way to remove SuS and get the
correct CAT files back and being referenced on XP Home? (SFC scan asks for a
2000 disk, which I obviously don't have).

Second question: While this may be just be, I've seen similar behavior on
friends computers (although they've all had some sort of contact with my
environment). Is there a quick way to detect SuS and some boot server
running?

Last Question: Anyone EVER heard of this? Is this a know issue I just
haven't been able to find anything about?

I'm happy to share bunches of data with anyone that wants it (or thinks I'm
just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
back up and fix them through group and local policy changes, but it would be
nice if there was an easier fix.

Regards,
SRGriffin
redaffro (04-16-05, 04:21 PM)
i have come to the same conclusion, please email me to compare notes... its
so good that i've considered my sanity many times while troubleshooting these
cases cause i've seen it more than once.
SRGriffin (04-18-05, 12:45 PM)
Here are a few more details:

On a compaq laptop I took apart to replace the DVD Drive, among other things
(Bought it new from Circuit City).

Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security 2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted directories
containing any .Cab files or other possible installation sources. Cleaned
registry with "fix-it" default, safe settings.

Connected to direct internet connection to get updates and then
disconnected....

One of the updates automatically downloaded...Virtual PC Update!??

Hidden devices in control panel include: ACPI-Complient Embedded Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload, EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some might
be XP standard ???

SQL Server and ISS appear to be install, but can't update them. IE 4.0 gets
installed and IEAK.

All computers have registry settings for:
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ\0818\ 06040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: 00000000
Type: REG_BINARY
Data: <<Nearly 10kb in data follow>>

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: Identifier
Type: REG_SZ
Data: FUJITSU MHR2030AT

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: .Raw
Type: REG_RESOURCE_LIST
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTabl e.ComServersTable.1\CLSID
Data: {7B3125F4-F14D-11D1-BE0C-000000000000}
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum\ 0
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enu m\0
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\Encry ptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer Server
HLM\System\CurrentControlSet\Services\P3\Enum\INIT STARTFAILED ---> 1 <<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Grou p\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess \Epoch\ <<<No Sharing
Enabled>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess \Parameters\FirewallPolicy\DomainProfile\Authorize dApplications\List\ --->xpsp2res.dll,-2201
HLM\System\CurrentControlSet\Services\SharedAccess \Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Para meters\PnpInterface\1 --> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setu p Migration\Well Known
Guids\AppleTalk \IsoTp \McsXn
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Par ameters\NameSpace_Catalog5\Catalog_Entries\0000000 00002\image ==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\par ameters\SerivceDll -->
wuauserv.dl
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Para meters\SchemaGroups\Connection\

HLM\SYSTEM\CurrentControlSet\Control\Arbiters\Brok enMemAtF8...\BrokenVideo
....\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderLis t\base
.....\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHac ks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentic ation Packages --> msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forcegues t --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoo t ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOption s\ProductType ---> WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750d b0100\e
<<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1 &30a96598&0&Signature24DA24D9Offset7E00Length6FC7C 0200\Control

HLM\SOFTWARE\ATI Technologies\CDS\System\0
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir

HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Expl orer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Inte rnet
Settings\5.0\Cache\Extensible Cache\MSHist012005041820050419

Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
Drive 0 (ATA) - Validated
From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
Cylinders = 3648 Tracks = 255 Sectors/track = 63
From controller: 27.944 GB Total sectors = 58605120
Cylinders = 16383 Tracks = 16 Sectors/track = 63
HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n: NJ36T2915YRW
Supports drive > 137 GB
Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
Host protected area supported & enabled w/48-bit addr. (none used)
Drive & --Starting-- ---Ending--- -------Sectors------- ---Size
in GB-- Clust
Partition ID Sec Hd Cyl Sec Hd Cyl First Total Total
Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057 27.944
FSv3.1 4K
0-1 00 0 0 0 0 0 0 0 0 0
- -
0-2 00 0 0 0 0 0 0 0 0 0
- -
0-3 00 0 0 0 0 0 0 0 0 0
- -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
3) Media descriptor byte (never below F0h) F8
4) Sectors per track (should match the disk) 63
5) Tracks per cylinder (should match the disk) 255
6) Total sectors from the partition entry 58605057
7) Total sectors from boot (should match partition) 58605056
8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
9) File system ID "NTFS "
10) Start of the MFT 804864
11) Start of the MFT copy 2098486
12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
13) Clusters per index record (power of 2 or F4h for 4K) 01h
14) Volume label ""

==========================END OF PARTITION MGR==========================

Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?

"SRGriffin" wrote:
[..]
andy smart (04-18-05, 04:10 PM)
SRGriffin wrote:
[..]
> nice if there was an easier fix.
> Regards,
> SRGriffin

Can you boot it from a disk, and then run some scans from there?
SRGriffin (04-18-05, 05:56 PM)
I think I have access to the floppy (after messing w/ the registry...you'll
notice the first reg. entry is indeed BIOS settings...either writing to cmos
or emulating a BIOS and the video card has a strange BIOS), but don't have
comfidence in booting off a CD. Depending on how the server works out, I'll
probably convert the disk to fat32 so I can get to it more easily.

"andy smart" wrote:
[..]
SRGriffin (04-19-05, 06:34 AM)
I was able to get the afore mentioned Laptop connected to the Server and
verified exactly what I had suspected.

The laptop had win2000 installed on it.....AND the server was "infected"
too, but since it couldn't "trump" the domain rights it was relatively easy
to update security policies and fix.

So, on the "clean laptop install" and the "clean Sever 2003" install I had
win2000 installed also. I guess the real problem....posix was also
"installed". So POSSIBLY the server machine was just "infected" before.

But...this leads me to a bigger question...

How can this be confirmed w/o a Server handy and how many other people have
this same problem?? Seems like this could explain A LOT of things going on
lately....Internet Storm, Strange Permissions and such I see posted all over.

Oh, by the way...since Win2000 was in control, the other boot was still
WinXP SP1 even though I installed SP2 with a MS CD! Sure looked like it was
installed...but apparently it was uninstalled!

Very Disturbing....I'm guessing I know of of few others with this problem as
well.
Mercury (04-19-05, 11:52 AM)
Get a knoppix CD with NTFS read, or one of the windows diag boot cd's based
on WinPE or Bart PE to get read only access.

From your description, there appears only one way out - retrieve data files
only, fdisk, and rebuild all the systems. I won't say it sounds like a root
kit 'cos I have never come across one (there is rootkitrevealer) so don't
know, but this sounds so sick fdisk is surely the only way forwards -
keeping infected systems powered off and off the network (IE all systems ).

"SRGriffin" <SRGriffin> wrote in message
news:ae6c
[..]
markholmes (04-30-06, 12:08 AM)
SRGriffin wrote:
[..]
markholmes (04-30-06, 01:09 AM)
I Have tried for months and spent over $5000 on pc equipment. This
MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.

I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THE
FIRST BOOTUP...I SWEAR. THIS IS AN AMAZING VIRUS.

ANY HELP?

MY SYMPTOMS ARE THE SAME AS YOURS. I'LL POST MY HIJACKTHIS FILE...BUT
IT DOESNT REVEAL ANYTHING. I'M ON A WINDOWS MEDIA COMPUTER...I'VE
RELOADED THE SOFTWARE, REFORMATED...100's OF TIMES OVER THE PAST 6
MONTHS. IT CONTROLS EVERYTHING. CD...FLOPPY...DOS...COMMAND LINE. IT
WILL RUN AN HIDDEN UNINSTALLER RITE NEXT TO YOUR APPLICATION THAT
THREATENS IT. ANTIVIRUS...FIREWALLS...A JOKE!

THIS VIRUS IS EVEN ON MY DADS MACINTOSH. IT HAS DIFFERENT
SYMPTOMS...BUT HE HAS HAD PROFESSIONALS TRY TO FIX IT...WE HAVE BOTTH
SENT OUR COMPUTER IN TO THE PRO'S. THEY CAN'T FIX IT EITHER...THEY SEE
A COMPLETELY DIFFERENT REGISTRY. HOW DO YOU FIX THAT? BUY A NEW
COMPUTER? THE FILES / REGISTRY / COMPUTER YOU BOUGHT ARE NEVER GOING
TO BE THERE....I'M GLAD YOU FIXED YOURS.

I HAVE THOUGHT MINE WAS FIXED. I HAVE DOWNLOADED EVERY TROJAN / VIRUS
PROGRAM KNOWN...YES THEY CLAIM TO FIX THE MANY INFECTIONS ----------
BUT DAYS...WEEKS...THE COMPUTERS GONE!

YOU CAN READ IN THE REGISTRY HOW POWERFUL THIS VIRUS IS...IT HAS
COMPLETE CONTROL OF EVERYTHING. I EVEN THINK IT RUINED MY SONY CLIE
AND HAD CONTROL OF MY HP PRINTER...ANY INFRARED / BLUETOOTH, ETC. IT
ATTACKS.

MY DAD CANNOT STOP HIS MAC FROM BEING A SERVER. ITS A MESS...WE CANT
TERMINATE IT FROM USING ITS AIRPORT SERVICE...AND I'M SURE IT IS A PATH
TO INFECT / REINFECT.

I'M ILL.

PLEASE HELP.

I'VE SEEN OTHER PEOPLE CALL THIS THE TERMINAL SERVICE TROJAN.

IF THIS IS THE BIGGEST THREAT IN PC SECURITY...WHY ISN'T MICROSOFT...OR
THE ANTIVIRUS COMPANIES ALL OVER THIS?

I KNOW THAT NOT TOO MANY PEOPLE ARE INFECTED...BECAUSE IT LITERALLY
RUINES LIVES...I'VE READ A FEW POSTS THAT MAKE MINE SEEM SANE.

ALSO ... AMONG A MILLION THINGS OBVIOUS IN THE REGISTRY (BUT ONLY IN
THE REGISTRY!) PEOPLE MENTION THINGS LIKE WATCHDOG AND TIM BOMB ---
LOTS OF LEGACY STUFF... MOST EVERYTHING IN THE %SYSTEMROOT%...OR SOME
DRIVE LIKE .... HERES ONE FOR A CD....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\DeviceClasses\{1186654d-47b8-48b9-beb9-7df113ae3c67}\##?#IDE#CdRomHL-DT-ST_CD-RW_GCE-8527B________________1.01____#5&3aadb0d2&0&0.0.0#{ 1186654d-47b8-48b9-beb9-7df113ae3c67}

ANYWAY...ALL HELP IS APPRECIATED!
Logfile of HijackThis v1.99.1
Scan saved at 2:32:43 AM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\VCOM\SYSTEM~1\SSuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD
& DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"
/Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
-
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA,
Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

]-Originally posted by SRGriffin -
*Here are a few more details:

On a compaq laptop I took apart to replace the DVD Drive, among other
things
(Bought it new from Circuit City).

Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security
2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted
directories
containing any .Cab files or other possible installation sources.
Cleaned
registry with "fix-it" default, safe settings.

Connected to direct internet connection to get updates and then
disconnected....

One of the updates automatically downloaded...Virtual PC Update!??

Hidden devices in control panel include: ACPI-Complient Embedded
Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload,
EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some
might
be XP standard ???

SQL Server and ISS appear to be install, but can't update them. IE 4.0
gets
installed and IEAK.

All computers have registry settings for:
Key Name:
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ\0818\ 06040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: 00000000
Type: REG_BINARY
Data: <<Nearly 10kb in data follow>>

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi
Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: Identifier
Type: REG_SZ
Data: FUJITSU MHR2030AT

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
Name: .Raw
Type: REG_RESOURCE_LIST
Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTabl e.ComServersTable.1\CLSID
Data: {7B3125F4-F14D-11D1-BE0C-000000000000}
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum\ 0
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enu m\0
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\Encry ptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer
Server
HLM\System\CurrentControlSet\Services\P3\Enum\INIT STARTFAILED ---> 1
<<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Grou p\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess \Epoch\ <<<No
Sharing
Enabled>>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess \Parameters\FirewallPolicy\DomainProfile\Authorize dApplications\List\
--->xpsp2res.dll,-22019
HLM\System\CurrentControlSet\Services\SharedAccess \Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Para meters\PnpInterface\1
--> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setu p Migration\Well
Known
Guids\AppleTalk \IsoTp \McsXns
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Par ameters\NameSpace_Catalog5\Catalog_Entries\0000000 00002\image
==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\par ameters\SerivceDll
-->
wuauserv.dll
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Para meters\SchemaGroups\Connection\

HLM\SYSTEM\CurrentControlSet\Control\Arbiters\Brok enMemAtF8...\BrokenVideo
.....\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderLis t\base
......\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHac ks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentic ation Packages -->
msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forcegues t --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoo t ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOption s\ProductType --->
WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750d b0100\e
<<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1 &30a96598&0&Signature24DA24D9Offset7E00Length6FC7C 0200\Control

HLM\SOFTWARE\ATI Technologies\CDS\System\0
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir

HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Expl orer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}
HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Inte rnet
Settings\5.0\Cache\Extensible Cache\MSHist012005041820050419

Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
Drive 0 (ATA) - Validated
From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
Cylinders = 3648 Tracks = 255 Sectors/track = 63
From controller: 27.944 GB Total sectors = 58605120
Cylinders = 16383 Tracks = 16 Sectors/track = 63
HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n:
NJ36T2915YRW
Supports drive > 137 GB
Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
Host protected area supported & enabled w/48-bit addr. (none used)
Drive & --Starting-- ---Ending--- -------Sectors-------
---Size
in GB-- Clust
Partition ID Sec Hd Cyl Sec Hd Cyl First Total
Total
Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057
27.944
FSv3.1 4K
0-1 00 0 0 0 0 0 0 0 0
0
- -
0-2 00 0 0 0 0 0 0 0 0
0
- -
0-3 00 0 0 0 0 0 0 0 0
0
- -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
3) Media descriptor byte (never below F0h) F8
4) Sectors per track (should match the disk) 63
5) Tracks per cylinder (should match the disk) 255
6) Total sectors from the partition entry 58605057
7) Total sectors from boot (should match partition) 58605056
8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
9) File system ID "NTFS
"
10) Start of the MFT 804864
11) Start of the MFT copy 2098486
12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
13) Clusters per index record (power of 2 or F4h for 4K) 01h
14) Volume label ""

==========================END OF PARTITION
MGR==========================

Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?

"SRGriffin" wrote:
[..]
David H. Lipman (04-30-06, 03:26 AM)
From: "markholmes" <markholmes.271w8d>

| I Have tried for months and spent over $5000 on pc equipment. This
| MALWARE has INFECTED EVERY COMPUTER - EVERY BIOS - EVERY HARDDRIVE.
|
| I WENT OUT AND BOUGHT A BRAND NEW COMPUTER AND IT WAS INSTALLED ON THEFIRST BOOTUP...I
| SWEAR. THIS IS AN AMAZING VIRUS.

< snip >

This is bullsh!t and FUD !

There are NO viruses that can infect and live in a BIOS.

You are obviously re-infecting your computer.

You are also going to piss off people by posting in all caps. It shows laziness and in
Usenet space it is considered shouting. Not to mention all caps is more difficult to read.

Add to that your posting a HJT log. HJT logs are more than discouraged in Usenet News
Groups simply put -- don't post them in News Groups. There are Expert forums SPECIFICALLY
for HJT logs.

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order


















Finally, Trojans are not viruses. They do not slef replicate.

I don't know if you are a Troll or what but, this post certainly comes off as a Troll-like
post !
Panda_man (04-30-06, 09:23 PM)
Hey , boy , do you understand what you say / state .
This is all wrong and it is not possible to happen , you are just doing
something wrong.

As soon as you reinstall Windows and format the existing hard drive , your
old data is gone
You must use only genuie and legal Microsoft products because only they
guarantee you
100% success with no problems . Install legal drivers only ! Install
reputable AV software as soon as you install Windows.
Update the AV . Use internet firewall . Download and apply all updates for
your Windows operating system.
Don't install stupid files/softwares that can pottentially be threat.

In your HJT log I see some things that are currently unknown for me but I
have no time to search in Google for them
you can do this to receive more info.

And again , what you say is absolutely wrong and impossible to happen !

Regards!

Panda_man
vikki.lynn (09-11-13, 06:03 PM)
On Sunday, April 30, 2006 12:23:02 PM UTC-7, Panda_man wrote:
[..]
>
>
> Please , rate post


So I know this "thread" is 7 years old but what these guys have told you isall true.
I have spent the last 5 months going through every registry key to figure out how
*whoever* was pulling this off. What is being done is that there are reallyno actual OS to you hard drive anymore..they are more of just image files to give it the illusion of your OS...they partition the drive and turn it into a VM server to either host a porn site...or a gaming site. Doing more research I happened to come across a chunk of the hack online


Also it is very real to have your BIOS infected and this worm does just that.
To get rid of this I did an 8 pass of DBAN. On a clean machine I downloadedan updated version of my BIOS and put it on a usb drive along with combofix..rkiller and maleware bytes. Before reinstalling my OS I made sure to unplug modem/router and then reinstalled, flashed my BIOS and then did anothersweep of DBAN..formatted and finally I think I have got it cleaned out.

I am sure there are many people hit with this if 7 years later it is still happening.
But if you are not aware of what should and should not be going on in your PC you would not even notice.
Hope this helps anyone who stumbles upon this post.
David H. Lipman (09-11-13, 06:31 PM)
From: <vikki.lynn>

[..]
> But if you are not aware of what should and should not be going on in your
> PC you would
> not even notice. Hope this helps anyone who stumbles upon this post.


The chances of an "infected" BIOS is lower than one winning the PowerBall.
Corrupting the BIOS has a greater propensity.
~BD~ (10-09-13, 01:04 AM)
vikki.lynn wrote:
> On Sunday, April 30, 2006 12:23:02 PM UTC-7, Panda_man wrote:
> So I know this "thread" is 7 years old but what these guys have told you is all true.
> I have spent the last 5 months going through every registry key to figure out how
> *whoever* was pulling this off. What is being done is that there are really no actual OS to you hard drive anymore..they are more of just image files to give it the illusion of your OS...they partition the drive and turn it into a VM server to either host a porn site...or a gaming site. Doing more research I happened to come across a chunk of the hack online
>
> Also it is very real to have your BIOS infected and this worm does just that.
> To get rid of this I did an 8 pass of DBAN. On a clean machine I downloaded an updated version of my BIOS and put it on a usb drive along with combofix..rkiller and maleware bytes. Before reinstalling my OS I made sure to unplug modem/router and then reinstalled, flashed my BIOS and then did another sweep of DBAN..formatted and finally I think I have got it cleaned out.
> I am sure there are many people hit with this if 7 years later it is still happening.
> But if you are not aware of what should and should not be going on in your PC you would not even notice.
> Hope this helps anyone who stumbles upon this post.


Hi! :-)

You might like to read the thread here ....

Message-ID: <uok659d8gpj0tot6lp68587dmpdf3d4ojf>



One answer there says:-

==

Well that sounds insane, but here you go, a theory.

He mentions SUS and a Windows 2003 server on the network. You can't
install SUS on Windows XP home, so maybe he *is* booting to a Remote
Desktop showing the Windows 2003 server on which SUS is installed.

Sounds Citrix like. Could be something like this



There's even a free limited user version, and the clients are free I
think. Get a bit of old hardware and turn it into a thin client for
FREE!!!!!!!!!!!!!!!!!!!

==

I might try that if it rains tomorrow!

Thanks for posting, btw.
Vickie McKnight (10-09-13, 12:05 PM)
Still fighting it...I know it is crazy....! What do you think about some kind of hook being there and the *whatever* keeping access through dcom config? I just nuked my hard drive with 7 passes and reinstalled again I had the idea to change the settings using DCOMCNFG got to a point were I was going to set permissions under launch and activation to all the groups and I got shut out I can not change anything or access gpuedit or WMI...very infuriating whatever this is but I am not giving up. Would you like to play a game? Any ideas? Besides bleaching registry keys and changing values I do not know what to do. I have 3 comps that are like this that got infected from the network this last April / May I do not know all the aspects of dcom but I do know wmi or wmic but I am pretty sure this is their way in...but how can whatever they hit me with survive a 7 pass nuke that took almost 30 hours...ugh! Bout to just take it out back and beat it with a baseball bat. Before I nuked this time they had partioned the drive 4 times and pretty sure they are over seas...Korea? So any ideas...thoughts. If you know any dcom syntax I can hit it that way in Dos..not finding a lot of dcom syntax on theweb.

Thanks!

On Tuesday, October 8, 2013 4:04:39 PM UTC-7, ~BD~ wrote:
[..]
> Thanks for posting, btw.
> --
> Dave


On Tuesday, October 8, 2013 4:04:39 PM UTC-7, ~BD~ wrote:
[..]
> Thanks for posting, btw.
> --
> Dave


On Tuesday, October 8, 2013 4:04:39 PM UTC-7, ~BD~ wrote:
[..]

Similar Threads