HELP! Terminal Service Trojan??
in [Security]
|
Prev: Error 1317
Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137
From: SRGriffin on 22 Jun 2005 05:21 I'll try to be brief and follow-up with a few more details in "reply" posting. It seems I have a trojan (or something...??) that I can't get rid of with a disk wipe. Why do I think I think I have a trojan? General weird behavior, admins don't have permission for everything, autoupdate doesn't always work, downloads appear to be "filtered" and replaced (certificates on downloads invalid, wrong files, etc.), viirus software is removed, weird port activity, and unfamilar "options" in software installed. Setup Process: ================= Ghost &/or diskpartition secure disk wipe Install XP Home w/ two user accounts Install XP SP2 from MS disk (got in snail mail) Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc) Set Passwords for all accounts including Administrator (using net cmd) Connect to Internet (through switch & firewalled gateway-->most ports blocked) Get all latest Updates Install Office 2003 Pro and get updates (also tried various changes to this process including bios/cmos resets) "Scans" are clean w/ software, internet website scans, and adaware/hotbot (believe TS scanned, not host) Results: ========= PC appears to be added to a domain w/ AD. Users are <computername>\user Registry has Sidebyside .NET installations Templates and other components, like games, can't be removed through control panel settings Browser cache is "encrypted" and isn't removed through disk clean up or "clear cache" IME-chinese&japanese installed IEAK installed All devices are "legacy" and IDE is installed as SCSI Boot partition is set to: \device\harddrive1\ Most hive files saved to: \device\harddrive1\ -- nothing in c:\windows\system32\config\ Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to "CD_burning" HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f} binary data indicates \??\cdrom mounted on "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f} binary data indicates \??\genfloppy mounted on "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Registry has HLM->system->Setup key with "allowstart" for AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl Safemode looks like there are chinese or japanese characters in the corner Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has altered ACPI values?] and logs like: TSCOS.LOG Here's a snip-it ++++++++++++++++++++++++++++++++++ *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00 *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free hydraoc.cpp(188)Entering OC_PREINITIALIZE hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1 hydraoc.cpp(188)Entering OC_INIT_COMPONENT hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) state.cpp(1006)Setup Parameters **************************** state.cpp(1007)We are running on Wks state.cpp(1008)Is this adv server No state.cpp(1009)Is this Personal (Home Edition) Yes state.cpp(1010)Is this SBS server No state.cpp(1011)IsStandAloneSetup = No state.cpp(1012)IsFreshInstall = Yes state.cpp(1013)IsTSFreshInstall = Yes state.cpp(1014)IsUnattendSetup = No state.cpp(1015)IsUpgradeFromTS40 = No state.cpp(1016)IsUpgradeFromNT50 = No state.cpp(1017)IsUpgradeFromNT51 = No state.cpp(1018)IsUnattended = No state.cpp(1020)Original State ****************************** state.cpp(1021)WasTSInstalled = No state.cpp(1022)WasTSEnabled = No state.cpp(1023)OriginalPermMode = WIN2K state.cpp(1037)Original TS Mode = TS Disabled state.cpp(1050)Current State ****************************** state.cpp(1065)New TS Mode = Personal TS state.cpp(1075)New Permissions Mode = PERM_WIN2K state.cpp(1084)New Connections Allowed = False hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0 hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0 hydraoc.cpp(188)Entering OC_QUERY_STATE hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning SubcompOff hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2 hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section = <TerminalServices.FreshInstall.pro> subcomp.cpp(172)Calculating disk space for add section = TerminalServices.FreshInstall.pro hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ I have lots more data! Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new? Some weird Microsoft copy protection gone bad (desktop not yet validated since I keep rebuilding....laptop shouldn't be an issue)
From: SRGriffin on 22 Jun 2005 05:55 A few more details: I think that this "thing" sits on a system partition it hijacks during setup and then never tells the OS setup is finished so the system partition never gets erased. It is clearly also doing a system restore or backup at every boot to make sure it comes back. It also seems to create a shadow copy of itself. The OS reports I run out of space for ocassional updates, when everything says I have 25+ gigs. A number of the controls appear to be either java or .net "copies". Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder in c:\windows (unless that's an office thing). Seems to "encode" data into media streams and use ADO. Setups updates services so the "terminal os" gets patched versions of updates or doesn't install them (or uninstalls them). Disables motherboard devices through invalid updates with smbios...maybe firmware, which did ables any ability to boot first or get to the cmos on some systems. Caches software and then runs it through a host3g.dll or similar and looks like it uses the processor performance counters to monitor things. If your successful in getting the system partition removed, then you've also removed your registry so it wont boot. Creates $winnt$.inf where I think it may mount from?? I know this sounds a bit paranoid, but I have all the data....after months! of banging my head. please let me know if this is all really legit so I can stop looking at this!!:)
From: Mike Brannigan [MSFT] on 22 Jun 2005 06:14 "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com... > I'll try to be brief and follow-up with a few more details in "reply" > posting. > > It seems I have a trojan (or something...??) that I can't get rid of with > a > disk wipe. > ... If you believe you have something on your disk that is surviving a "disk wipe" (this really depends on what you think you are doing and how you are doing this) - then low level format the entire disk (you do this at your own risk and must follow the manufacturers instruction for this process). -- Regards, Mike -- Mike Brannigan [Microsoft] This posting is provided "AS IS" with no warranties, and confers no rights Please note I cannot respond to e-mailed questions, please use these newsgroups "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com... > I'll try to be brief and follow-up with a few more details in "reply" > posting. > > It seems I have a trojan (or something...??) that I can't get rid of with > a > disk wipe. > > Why do I think I think I have a trojan? > General weird behavior, admins don't have permission for everything, > autoupdate doesn't always work, downloads appear to be "filtered" and > replaced (certificates on downloads invalid, wrong files, etc.), viirus > software is removed, weird port activity, and unfamilar "options" in > software > installed. > > Setup Process: > ================= > Ghost &/or diskpartition secure disk wipe > Install XP Home w/ two user accounts > Install XP SP2 from MS disk (got in snail mail) > Install Norton Internet Security 2005 (also tried TrendMicro & Comp. > Assoc) > Set Passwords for all accounts including Administrator (using net cmd) > Connect to Internet (through switch & firewalled gateway-->most ports > blocked) > Get all latest Updates > Install Office 2003 Pro and get updates > (also tried various changes to this process including bios/cmos resets) > "Scans" are clean w/ software, internet website scans, and adaware/hotbot > (believe TS scanned, not host) > > Results: > ========= > PC appears to be added to a domain w/ AD. Users are <computername>\user > Registry has Sidebyside .NET installations > Templates and other components, like games, can't be removed through > control > panel settings > Browser cache is "encrypted" and isn't removed through disk clean up or > "clear cache" > > IME-chinese&japanese installed > IEAK installed > > All devices are "legacy" and IDE is installed as SCSI > > > Boot partition is set to: \device\harddrive1\ > Most hive files saved to: \device\harddrive1\ -- nothing in > c:\windows\system32\config\ > > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" > to > "CD_burning" > > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f} > binary data indicates \??\cdrom mounted on > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f} > binary data indicates \??\genfloppy mounted on > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} > > Registry has HLM->system->Setup key with "allowstart" for > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl > > Safemode looks like there are chinese or japanese characters in the corner > > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has > altered ACPI values?] > > and logs like: TSCOS.LOG > > Here's a snip-it > ++++++++++++++++++++++++++++++++++ > > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00 > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free > > hydraoc.cpp(188)Entering OC_PREINITIALIZE > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1 > > > hydraoc.cpp(188)Entering OC_INIT_COMPONENT > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) > state.cpp(1006)Setup Parameters **************************** > state.cpp(1007)We are running on Wks > state.cpp(1008)Is this adv server No > state.cpp(1009)Is this Personal (Home Edition) Yes > state.cpp(1010)Is this SBS server No > state.cpp(1011)IsStandAloneSetup = No > state.cpp(1012)IsFreshInstall = Yes > state.cpp(1013)IsTSFreshInstall = Yes > state.cpp(1014)IsUnattendSetup = No > state.cpp(1015)IsUpgradeFromTS40 = No > state.cpp(1016)IsUpgradeFromNT50 = No > state.cpp(1017)IsUpgradeFromNT51 = No > state.cpp(1018)IsUnattended = No > state.cpp(1020)Original State ****************************** > state.cpp(1021)WasTSInstalled = No > state.cpp(1022)WasTSEnabled = No > state.cpp(1023)OriginalPermMode = WIN2K > state.cpp(1037)Original TS Mode = TS Disabled > state.cpp(1050)Current State ****************************** > state.cpp(1065)New TS Mode = Personal TS > state.cpp(1075)New Permissions Mode = PERM_WIN2K > state.cpp(1084)New Connections Allowed = False > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0 > > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0 > > hydraoc.cpp(188)Entering OC_QUERY_STATE > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning > SubcompOff > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2 > > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver > subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual > section > = <TerminalServices.FreshInstall.pro> > subcomp.cpp(172)Calculating disk space for add section = > TerminalServices.FreshInstall.pro > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0 > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > I have lots more data! > > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new? > Some weird Microsoft copy protection gone bad (desktop not yet validated > since I keep rebuilding....laptop shouldn't be an issue) >
From: SRGriffin on 22 Jun 2005 12:42 I guess what I mean to say is that it survives the "process" of a diskwipe. (A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is diskpartition). So either, something is booting off the disk and redirecting IO or there is something in flash memory somewhere that comes back or some combination. So since this isn't some know MS thing, I'll start posting more liberally around the web to see what I can find. Anyway to verify my observations? "Mike Brannigan [MSFT]" wrote: > "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message > news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com... > > I'll try to be brief and follow-up with a few more details in "reply" > > posting. > > > > It seems I have a trojan (or something...??) that I can't get rid of with > > a > > disk wipe. > > ... > > If you believe you have something on your disk that is surviving a "disk > wipe" (this really depends on what you think you are doing and how you are > doing this) - then low level format the entire disk (you do this at your own > risk and must follow the manufacturers instruction for this process). > > -- > > Regards, > > Mike > -- > Mike Brannigan [Microsoft] > > This posting is provided "AS IS" with no warranties, and confers no > rights > > Please note I cannot respond to e-mailed questions, please use these > newsgroups > > "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message > news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com... > > I'll try to be brief and follow-up with a few more details in "reply" > > posting. > > > > It seems I have a trojan (or something...??) that I can't get rid of with > > a > > disk wipe. > > > > Why do I think I think I have a trojan? > > General weird behavior, admins don't have permission for everything, > > autoupdate doesn't always work, downloads appear to be "filtered" and > > replaced (certificates on downloads invalid, wrong files, etc.), viirus > > software is removed, weird port activity, and unfamilar "options" in > > software > > installed. > > > > Setup Process: > > ================= > > Ghost &/or diskpartition secure disk wipe > > Install XP Home w/ two user accounts > > Install XP SP2 from MS disk (got in snail mail) > > Install Norton Internet Security 2005 (also tried TrendMicro & Comp. > > Assoc) > > Set Passwords for all accounts including Administrator (using net cmd) > > Connect to Internet (through switch & firewalled gateway-->most ports > > blocked) > > Get all latest Updates > > Install Office 2003 Pro and get updates > > (also tried various changes to this process including bios/cmos resets) > > "Scans" are clean w/ software, internet website scans, and adaware/hotbot > > (believe TS scanned, not host) > > > > Results: > > ========= > > PC appears to be added to a domain w/ AD. Users are <computername>\user > > Registry has Sidebyside .NET installations > > Templates and other components, like games, can't be removed through > > control > > panel settings > > Browser cache is "encrypted" and isn't removed through disk clean up or > > "clear cache" > > > > IME-chinese&japanese installed > > IEAK installed > > > > All devices are "legacy" and IDE is installed as SCSI > > > > > > Boot partition is set to: \device\harddrive1\ > > Most hive files saved to: \device\harddrive1\ -- nothing in > > c:\windows\system32\config\ > > > > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" > > to > > "CD_burning" > > > > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f} > > binary data indicates \??\cdrom mounted on > > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} > > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f} > > binary data indicates \??\genfloppy mounted on > > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} > > > > Registry has HLM->system->Setup key with "allowstart" for > > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl > > > > Safemode looks like there are chinese or japanese characters in the corner > > > > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has > > altered ACPI values?] > > > > and logs like: TSCOS.LOG > > > > Here's a snip-it > > ++++++++++++++++++++++++++++++++++ > > > > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00 > > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free > > > > hydraoc.cpp(188)Entering OC_PREINITIALIZE > > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A > > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1 > > > > > > hydraoc.cpp(188)Entering OC_INIT_COMPONENT > > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) > > state.cpp(1006)Setup Parameters **************************** > > state.cpp(1007)We are running on Wks > > state.cpp(1008)Is this adv server No > > state.cpp(1009)Is this Personal (Home Edition) Yes > > state.cpp(1010)Is this SBS server No > > state.cpp(1011)IsStandAloneSetup = No > > state.cpp(1012)IsFreshInstall = Yes > > state.cpp(1013)IsTSFreshInstall = Yes > > state.cpp(1014)IsUnattendSetup = No > > state.cpp(1015)IsUpgradeFromTS40 = No > > state.cpp(1016)IsUpgradeFromNT50 = No > > state.cpp(1017)IsUpgradeFromNT51 = No > > state.cpp(1018)IsUnattended = No > > state.cpp(1020)Original State ****************************** > > state.cpp(1021)WasTSInstalled = No > > state.cpp(1022)WasTSEnabled = No > > state.cpp(1023)OriginalPermMode = WIN2K > > state.cpp(1037)Original TS Mode = TS Disabled > > state.cpp(1050)Current State ****************************** > > state.cpp(1065)New TS Mode = Personal TS > > state.cpp(1075)New Permissions Mode = PERM_WIN2K > > state.cpp(1084)New Connections Allowed = False > > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0 > > > > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES > > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) > > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0 > > > > hydraoc.cpp(188)Entering OC_QUERY_STATE > > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver > > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning > > SubcompOff > > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2 > > > > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE > > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver > > subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices > > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual > > section > > = <TerminalServices.FreshInstall.pro> > > subcomp.cpp(172)Calculating disk space for add section = > > TerminalServices.FreshInstall.pro > > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > > I have lots more data! > > > > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new? > > Some weird Microsoft copy protection gone bad (desktop not yet validated > > since I keep rebuilding....laptop shouldn't be an issue) > > > > >
From: Merna E via WindowsKB.com on 24 Jun 2005 22:23 SRGriffin wrote: >I'll try to be brief and follow-up with a few more details in "reply" posting. > >It seems I have a trojan (or something...??) that I can't get rid of with a >disk wipe. > >Why do I think I think I have a trojan? >General weird behavior, admins don't have permission for everything, >autoupdate doesn't always work, downloads appear to be "filtered" and >replaced (certificates on downloads invalid, wrong files, etc.), viirus >software is removed, weird port activity, and unfamilar "options" in software >installed. > >Setup Process: >================= >Ghost &/or diskpartition secure disk wipe >Install XP Home w/ two user accounts >Install XP SP2 from MS disk (got in snail mail) >Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc) >Set Passwords for all accounts including Administrator (using net cmd) >Connect to Internet (through switch & firewalled gateway-->most ports blocked) >Get all latest Updates >Install Office 2003 Pro and get updates >(also tried various changes to this process including bios/cmos resets) >"Scans" are clean w/ software, internet website scans, and adaware/hotbot >(believe TS scanned, not host) > >Results: >========= >PC appears to be added to a domain w/ AD. Users are <computername>\user >Registry has Sidebyside .NET installations >Templates and other components, like games, can't be removed through control >panel settings >Browser cache is "encrypted" and isn't removed through disk clean up or >"clear cache" > >IME-chinese&japanese installed >IEAK installed > >All devices are "legacy" and IDE is installed as SCSI > >Boot partition is set to: \device\harddrive1\ >Most hive files saved to: \device\harddrive1\ -- nothing in >c:\windows\system32\config\ > >Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to >"CD_burning" > >HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices >\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f} >binary data indicates \??\cdrom mounted on >"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} >\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f} >binary data indicates \??\genfloppy mounted on >"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} > >Registry has HLM->system->Setup key with "allowstart" for >AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl > >Safemode looks like there are chinese or japanese characters in the corner > >Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has >altered ACPI values?] > >and logs like: TSCOS.LOG > >Here's a snip-it >++++++++++++++++++++++++++++++++++ > >*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00 >*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free > >hydraoc.cpp(188)Entering OC_PREINITIALIZE >hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A >hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1 > >hydraoc.cpp(188)Entering OC_INIT_COMPONENT >hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) >state.cpp(1006)Setup Parameters **************************** >state.cpp(1007)We are running on Wks >state.cpp(1008)Is this adv server No >state.cpp(1009)Is this Personal (Home Edition) Yes >state.cpp(1010)Is this SBS server No >state.cpp(1011)IsStandAloneSetup = No >state.cpp(1012)IsFreshInstall = Yes >state.cpp(1013)IsTSFreshInstall = Yes >state.cpp(1014)IsUnattendSetup = No >state.cpp(1015)IsUpgradeFromTS40 = No >state.cpp(1016)IsUpgradeFromNT50 = No >state.cpp(1017)IsUpgradeFromNT51 = No >state.cpp(1018)IsUnattended = No >state.cpp(1020)Original State ****************************** >state.cpp(1021)WasTSInstalled = No >state.cpp(1022)WasTSEnabled = No >state.cpp(1023)OriginalPermMode = WIN2K >state.cpp(1037)Original TS Mode = TS Disabled >state.cpp(1050)Current State ****************************** >state.cpp(1065)New TS Mode = Personal TS >state.cpp(1075)New Permissions Mode = PERM_WIN2K >state.cpp(1084)New Connections Allowed = False >hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0 > >hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES >hydraoc.cpp(189)Component=terminalserver, SubComponent=(null) >hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0 > >hydraoc.cpp(188)Entering OC_QUERY_STATE >hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver >hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning >SubcompOff >hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2 > >hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE >hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver >subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices >subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section >= <TerminalServices.FreshInstall.pro> >subcomp.cpp(172)Calculating disk space for add section = >TerminalServices.FreshInstall.pro >hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0 >+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > >I have lots more data! > >Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new? >Some weird Microsoft copy protection gone bad (desktop not yet validated >since I keep rebuilding....laptop shouldn't be an issue) -- First, you are not crackers. this is a very nasty bug that thankfully does not seem to be widespread. My sytem is infected with it also and I came here to find out how to get rid of it. As far as wiping the hard drive it doesn't work. I Have personaly increased the value of Segate stock because of this nasty bug. there is a file called delete driver; called from a DODONt.bat It removes your driver and repaces it with it's own driver which reinstalls of oos held in the upper memory of DOS. I am trying to figure out how to get my driver back into DOS Ithe delete driver command looks like this; cd\ wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b if exist "%1" rd /s /q "%1" REM this file called
|
Next
|
Last
Pages: 1 2 3 4 Prev: Error 1317 Next: Firewall logs from XP box: UDP Connection denied from 192.168.0.2 to 64.233.185.109:137 |