Prev: Error 1317
Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137
From: Merna E via WindowsKB.com on 4 Jul 2005 17:20
Mike,

Software loaded;
Adobe
Agere
Apple Computer, Inc.
Avance
BackWeb
CO7ft5Y
Classes
Clients
Detto Technologies Inc.
Gemplus
Genesys Logic
HP
Ice
InstallShield
INTEL
InterMute
InterVideo
JavaSoft
L&H
Lead Technologies
Microsoft
MicroVision
Motive
MozillaPlugins
muvee Technologies
ODBC
PC-Doctor
Polices
Python
RealNetworks
Realtec
S3
Schlumberger
Secure
Sonic
Symantic
Wilson WindowWare
Windows 3.1 Migration Status
Xing Technology Corp.


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
From: Mike Brannigan [MSFT] on 4 Jul 2005 18:17
Merna,

The list of software is irrelevant.

Have you successfully reinstalled the OS and do you know you are clean ?
If so then you should obviously be fully patched and also loaded with anti
virus and anti spyware.
Then add your product back from known clean media only.


--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Merna E via WindowsKB.com" <forum(a)WindowsKB.com> wrote in message
news:50D586FB30E60(a)WindowsKB.com...
> Mike,
>
> Software loaded;
> Adobe
> Agere
> Apple Computer, Inc.
> Avance
> BackWeb
> CO7ft5Y
> Classes
> Clients
> Detto Technologies Inc.
> Gemplus
> Genesys Logic
> HP
> Ice
> InstallShield
> INTEL
> InterMute
> InterVideo
> JavaSoft
> L&H
> Lead Technologies
> Microsoft
> MicroVision
> Motive
> MozillaPlugins
> muvee Technologies
> ODBC
> PC-Doctor
> Polices
> Python
> RealNetworks
> Realtec
> S3
> Schlumberger
> Secure
> Sonic
> Symantic
> Wilson WindowWare
> Windows 3.1 Migration Status
> Xing Technology Corp.
>
>
> --
> Message posted via WindowsKB.com
> http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1


From: "Merna E via WindowsKB.com" on 6 Jul 2005 12:13
The worm fil;es are in the regs. When you look at the regs they look normal.
Start removing some of the tweeks to the regs and the hidden regs show up.
The partition is also set up in the regs. there are 4 major hotkeys, within
each is a section of security regs, these alert the automated program to
repair itself should any of its files become damaged or corrupted. At the
base of these regs it always refers back to @mmsys.cpl-5848. These regs
refuse to be removed. In the permissions they are owned by the system worm
which has a long number preceeded by the letter "S" as it's user name. Even
taking ownership of the file did not allow me to delete it. Inside the
partition it has a set of "shells" of EX,M, and 98.
It is designed to make you think you have that os, as you see the images of
that os, yet the core of the program has been replaced with NT.5 There is
nothing left of XP except the facia. When you try to reformat you are simply
directed to the reinstallation of it's own os appropiate facia. All the files
are stored in it's partition.
There are tweeks to the regs to suppress the plug and play and direct
everything related to your cd rom and other media drives back to the drivers
in it's partition. which are tweeked to allow you to use your media for
anything except installing os or anti-virus software.
Every other line of code in the screen savers even ends with a .1; a line of
the worms code. The worms is replicated over and over again inside the regs
and in all of the files.
There is a program called watch dog, and one called tim bomb,
Apparently the watch dog keeps the worm files intact. I have seen several
referances releasing files if the remote server does not log on by a specific
time.
The remote server logs on with the password "Raw".
There is also a bunch of regs refering to a journal. By the time I found
these regs the worm was already fighting me for control and I was unable to
open the files. It has a Lockdown feature that refuses you the ability to
search, edit or delete. It also has regs to disallow the emptying of the
recycle bin.
I sure hope someone is reading this and can help me figure out how to get rid
of these presistant regs!
After I had removes all of it's regs I could ( before it froze up regit) it
started converting the regs to links.
I'm way over my head here guys, could use some ideas.
Thanks
From: "Merna E via WindowsKB.com" on 6 Jul 2005 12:51
Sorry, this web-tv browser dosen't let me see what i have written ubtil it's
posted.
Correction; The "Shells" in the regs are for the Local machine. It is set up
with facia from XP both home and Pro , Millenium and 98.
It seems to have the ability to pick up the facia of what ever od the victims
machine is running.


Mike,

I can't re-install os as it won't recognise the cdrom.
It keeps re-installing from the partition. Regs set up which disallow the
format to wipe the partition. It is in protected storage regs.
Partition is set up with persistent regs which it won't allow me to delete.
Thanks


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1
From: Mike Brannigan [MSFT] on 6 Jul 2005 15:10
The Windows XP CD ROM IS bootable - you need to just set you BIOS to use the
CD as the first boot drive (see you PC or motherboard/BIOS manual).
This will run setup before anything else - you can then remove partitions
and reformat etc. Then do a clean install.
If you really want to low level format the harddisk too just follow the
advice I have already provided

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

""Merna E via WindowsKB.com"" <forum(a)WindowsKB.com> wrote in message
news:50EC5366C9D27(a)WindowsKB.com...
> Sorry, this web-tv browser dosen't let me see what i have written ubtil
> it's
> posted.
> Correction; The "Shells" in the regs are for the Local machine. It is set
> up
> with facia from XP both home and Pro , Millenium and 98.
> It seems to have the ability to pick up the facia of what ever od the
> victims
> machine is running.
>
>
> Mike,
>
> I can't re-install os as it won't recognise the cdrom.
> It keeps re-installing from the partition. Regs set up which disallow the
> format to wipe the partition. It is in protected storage regs.
> Partition is set up with persistent regs which it won't allow me to
> delete.
> Thanks
>
>
> --
> Message posted via WindowsKB.com
> http://www.windowskb.com/Uwe/Forums.aspx/windows-xp-security/200507/1


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Error 1317
Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137