Prev: Error 1317
Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137
From: Merna E via WindowsKB.com on 24 Jun 2005 22:55
You are not crackers. It removes your cdrom drivers and repaces them
with a fake driver that links to it's hide away in DOS upper memory and just
re-installs
it's own modified version of whatever os you are running.

I have the same bug and have been hunting a fix for it.
I have trashed three computers and ruined coutless hard drives trying to get
rid of this nasty thing.
The Delete Driver file is called by device driver's DODONT.bat
looks like this;
cd\
wscript c;\hp\bin\WaitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"

No one has seen this thing. They all tell me I'm crackers it can't do that
but it did.
It takes advantage of several exploits, it's like three worms in one.
It is even running TaToo to infest jpg files.

Now this part no one believes but it's in there; I couldn'tfigure out how I
kept getting re-infested,
New puters, not hooked to internet and it would load at start up!
It opens a backdoor port to let a hacker in and he one the original
infestation must have somehow got into my HP Laserjet 5m
printer and changed the network configuration files on the printer.
So now I have to figure out how to clean that and the puter.

--
is a very nasty bug that thankfully does not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes
From: Merna E via WindowsKB.com on 25 Jun 2005 12:59
The two languages you are seeing are regular
Chinese and simple Chinese.

I found most of the log files on it's instalation.
I found a list of all the files it deleted, I am not a computer guru though
and have no idea how to fix this mess I have.
I found a per1/cmd script File: Author kumarp 21-August-98
also there is a RPCRC.BAT that locates and changes the partition
It (the bug) changes Norton firewall and Virus detection, changed the windows
firwall,and diables the service [ack 2 patches.

I am stuck with web-tv so I can't cut and paste.
i wouldn't anyway as I don't want to give a complete road map
on how to build and run this monster. But if
someone at microsoft is will to help us i would be more than glad to print
this mess out and mail it to them.
Look for a file regopt it gives the unattended file path.

There is a file BDMI which shows buildId=44NAheBLW1
and sets a something called TATOO_VER=61
I checked the Stmantec site and this seems to be a file for encripting text
into jpg files.
Anyone know for sure what it is and what it does?

I don't know what else to say but hope someone can help us get rid of this
thing.
Thanks
From: Mike Brannigan [MSFT] on 25 Jun 2005 13:23
Create a bootable floppy on a known clean machine.
Boot from that and run the level low format tool from your harddisk vendor -
there is no way for anything to survive that.
then boot from the opertaing CD (know to be clean) and reinstall your OS.
Any further infection is caused by external infection or you're using
infected media or restoring infected data.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Merna E via WindowsKB.com" <forum(a)WindowsKB.com> wrote in message
news:505A71F75CA60(a)WindowsKB.com...
> SRGriffin wrote:
>>I'll try to be brief and follow-up with a few more details in "reply"
>>posting.
>>
>>It seems I have a trojan (or something...??) that I can't get rid of with
>>a
>>disk wipe.
>>
>>Why do I think I think I have a trojan?
>>General weird behavior, admins don't have permission for everything,
>>autoupdate doesn't always work, downloads appear to be "filtered" and
>>replaced (certificates on downloads invalid, wrong files, etc.), viirus
>>software is removed, weird port activity, and unfamilar "options" in
>>software
>>installed.
>>
>>Setup Process:
>>=================
>>Ghost &/or diskpartition secure disk wipe
>>Install XP Home w/ two user accounts
>>Install XP SP2 from MS disk (got in snail mail)
>>Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
>>Assoc)
>>Set Passwords for all accounts including Administrator (using net cmd)
>>Connect to Internet (through switch & firewalled gateway-->most ports
>>blocked)
>>Get all latest Updates
>>Install Office 2003 Pro and get updates
>>(also tried various changes to this process including bios/cmos resets)
>>"Scans" are clean w/ software, internet website scans, and adaware/hotbot
>>(believe TS scanned, not host)
>>
>>Results:
>>=========
>>PC appears to be added to a domain w/ AD. Users are <computername>\user
>>Registry has Sidebyside .NET installations
>>Templates and other components, like games, can't be removed through
>>control
>>panel settings
>>Browser cache is "encrypted" and isn't removed through disk clean up or
>>"clear cache"
>>
>>IME-chinese&japanese installed
>>IEAK installed
>>
>>All devices are "legacy" and IDE is installed as SCSI
>>
>>Boot partition is set to: \device\harddrive1\
>>Most hive files saved to: \device\harddrive1\ -- nothing in
>>c:\windows\system32\config\
>>
>>Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
>>to
>>"CD_burning"
>>
>>HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
>>\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
>>binary data indicates \??\cdrom mounted on
>>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>>\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
>>binary data indicates \??\genfloppy mounted on
>>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>>
>>Registry has HLM->system->Setup key with "allowstart" for
>>AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>>
>>Safemode looks like there are chinese or japanese characters in the corner
>>
>>Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
>>altered ACPI values?]
>>
>>and logs like: TSCOS.LOG
>>
>>Here's a snip-it
>>++++++++++++++++++++++++++++++++++
>>
>>*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
>>*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>>
>>hydraoc.cpp(188)Entering OC_PREINITIALIZE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
>>hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>>
>>hydraoc.cpp(188)Entering OC_INIT_COMPONENT
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>>state.cpp(1006)Setup Parameters ****************************
>>state.cpp(1007)We are running on Wks
>>state.cpp(1008)Is this adv server No
>>state.cpp(1009)Is this Personal (Home Edition) Yes
>>state.cpp(1010)Is this SBS server No
>>state.cpp(1011)IsStandAloneSetup = No
>>state.cpp(1012)IsFreshInstall = Yes
>>state.cpp(1013)IsTSFreshInstall = Yes
>>state.cpp(1014)IsUnattendSetup = No
>>state.cpp(1015)IsUpgradeFromTS40 = No
>>state.cpp(1016)IsUpgradeFromNT50 = No
>>state.cpp(1017)IsUpgradeFromNT51 = No
>>state.cpp(1018)IsUnattended = No
>>state.cpp(1020)Original State ******************************
>>state.cpp(1021)WasTSInstalled = No
>>state.cpp(1022)WasTSEnabled = No
>>state.cpp(1023)OriginalPermMode = WIN2K
>>state.cpp(1037)Original TS Mode = TS Disabled
>>state.cpp(1050)Current State ******************************
>>state.cpp(1065)New TS Mode = Personal TS
>>state.cpp(1075)New Permissions Mode = PERM_WIN2K
>>state.cpp(1084)New Connections Allowed = False
>>hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>>
>>hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>>hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>>
>>hydraoc.cpp(188)Entering OC_QUERY_STATE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>>hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
>>SubcompOff
>>hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>>
>>hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
>>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>>subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
>>subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
>>section
>>= <TerminalServices.FreshInstall.pro>
>>subcomp.cpp(172)Calculating disk space for add section =
>>TerminalServices.FreshInstall.pro
>>hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
>>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>>I have lots more data!
>>
>>Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
>>Some weird Microsoft copy protection gone bad (desktop not yet validated
>>since I keep rebuilding....laptop shouldn't be an issue)
>
> --
> First, you are not crackers. this is a very nasty bug that thankfully does
> not seem to be widespread.
> My sytem is infected with it also and I came here to find out how to get
> rid
> of it.
> As far as wiping the hard drive it doesn't work. I Have personaly
> increased
> the value of Segate stock
> because of this nasty bug.
> there is a file called delete driver; called from a DODONt.bat
> It removes your driver and repaces it with it's own driver which
> reinstalls
> of oos
> held in the upper memory of DOS.
> I am trying to figure out how to get my driver back into DOS
> Ithe delete driver command looks like this;
> cd\
> wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
> if exist "%1" rd /s /q "%1"
>
>
>
>
> REM this file called


From: SRGriffin on 30 Jun 2005 17:24
Mike,

Anyway to boot of a XP setup disk and break into a command prompt to insure
it isn't reading a unattend file? Or force a setup wipe everything (format
in setup doesn't work)?

Great suggestion on the low-level, unfortunatley since nothing detects this
"problem" I have no way to know if I have a clean disk. I initally went to
Kinko's to download tools, but am no wondering if my current issues are from
Kinko's....either viral or strange group policy settings. And, even if I
could get a clean floppy, it appears to infect the DMI so prevents doing
anything to the disk....formats don't work (although maybe the hardware guys
can do something directly and I will try it).

Other information for any that care:
Delete partition through setup (and create a new, different size partition)
doesn't work (log files dated from before installation). Seems to be
"mirrored" somewhere. Did find references to a "SunDisk" shadow??

Uses Performance Counters, Speech interface, SWflash, Media Encoding, .NET,
java and VSB. Looks like it runs Internet 4.0.

Boots a "SR" service which seems to restore everything to the initial image.

I think it encodes data with media encoding both to hide and to issue
"speech" commands.

Have "run into" a few websites that cause the browser to spit back a screen
about my own configuration, i.e. PSP install details, listing server details
which includes my IP. MS site failed because of my "web.config" which has
set to "remote only", among other things (haven't been able to find this
"web.config").

well...pulling out my hair! While this is definately sophistocated, it isn't
technically difficult, so surprised no one seems to have heard or seen
anything like this.

Please add anything if anyone knows anything about this!
From: Merna E via WindowsKB.com on 4 Jul 2005 09:34
To make any headway with this thing you are going to have to take back
ownership of the files. It changes the registry completely.
There is a software program inside it called ICE; it's a do not install file.

It's a backdoor worm that changes the system files and registry. It runs
through Real tech file. Go into services and turn off the sound. on both the
local and extended.
Once you turn off the sound you can access some of the files that keep
telling you it is being used by another program.

I'll tell you there is no easy fix for this one. It replaces all the drivers
with it's own driver files. All Legacy

There is hardly anything left of the original registry.
The worm is hidden in the PC-Doctor files to begin with but it looks like it
has replicated itself in several different file.. It's the service that is
running as a user.
In the Permissions it is listed as a user with a long number that is
preceeded by the letter "S".
It also has a backup restore file with asr keys Not to restore, files not to
back up, keys not to restore.
It has a file named Biosinfo, cmos handler, a boot verification program,
something called Hall C state Hacks.

there is a file named "secrets" that has all there passwords. Five preset
users come with the worm.

If your worm is not a later version of the one I have the same passwords
might be in it;
CupdTime
CurrVal
OldVal
OupdTime
SecDesc

Looks like the first one has the most access.

I don't know if you can see my post or not.

If so, a reply would be nice.
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Error 1317
Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137