HELP! Terminal Service Trojan??

I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

A few more details:

I think that this "thing" sits on a system partition it hijacks during setup
and then never tells the OS setup is finished so the system partition never
gets erased.

It is clearly also doing a system restore or backup at every boot to make
sure it comes back.

It also seems to create a shadow copy of itself. The OS reports I run out of
space for ocassional updates, when everything says I have 25+ gigs.

A number of the controls appear to be either java or .net "copies".

Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder
in c:\windows (unless that's an office thing). Seems to "encode" data into
media streams and use ADO. Setups updates services so the "terminal os" gets
patched versions of updates or doesn't install them (or uninstalls them).
Disables motherboard devices through invalid updates with smbios...maybe
firmware, which did ables any ability to boot first or get to the cmos on
some systems.

Caches software and then runs it through a host3g.dll or similar and looks
like it uses the processor performance counters to monitor things.

If your successful in getting the system partition removed, then you've also
removed your registry so it wont boot.

Creates $winnt$.inf where I think it may mount from??

I know this sounds a bit paranoid, but I have all the data....after months!
of banging my head.

please let me know if this is all really legit so I can stop looking at
this!!:)

If you believe you have something on your disk that is surviving a "disk
wipe" (this really depends on what you think you are doing and how you are
doing this) - then low level format the entire disk (you do this at your own
risk and must follow the manufacturers instruction for this process).

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

I guess what I mean to say is that it survives the "process" of a diskwipe.
(A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is
diskpartition). So either, something is booting off the disk and redirecting
IO or there is something in flash memory somewhere that comes back or some
combination.

So since this isn't some know MS thing, I'll start posting more liberally
around the web to see what I can find.

Anyway to verify my observations?

First, you are not crackers. this is a very nasty bug that thankfully does
not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes your driver and repaces it with it's own driver which reinstalls
of oos
held in the upper memory of DOS.
I am trying to figure out how to get my driver back into DOS
Ithe delete driver command looks like this;
cd\
wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"




REM this file called

You are not crackers. It removes your cdrom drivers and repaces them
with a fake driver that links to it's hide away in DOS upper memory and just
re-installs
it's own modified version of whatever os you are running.

I have the same bug and have been hunting a fix for it.
I have trashed three computers and ruined coutless hard drives trying to get
rid of this nasty thing.
The Delete Driver file is called by device driver's DODONT.bat
looks like this;
cd\
wscript c;\hp\bin\WaitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"

No one has seen this thing. They all tell me I'm crackers it can't do that
but it did.
It takes advantage of several exploits, it's like three worms in one.
It is even running TaToo to infest jpg files.

Now this part no one believes but it's in there; I couldn'tfigure out how I
kept getting re-infested,
New puters, not hooked to internet and it would load at start up!
It opens a backdoor port to let a hacker in and he one the original
infestation must have somehow got into my HP Laserjet 5m
printer and changed the network configuration files on the printer.
So now I have to figure out how to clean that and the puter.

--
is a very nasty bug that thankfully does not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes

The two languages you are seeing are regular
Chinese and simple Chinese.

I found most of the log files on it's instalation.
I found a list of all the files it deleted, I am not a computer guru though
and have no idea how to fix this mess I have.
I found a per1/cmd script File: Author kumarp 21-August-98
also there is a RPCRC.BAT that locates and changes the partition
It (the bug) changes Norton firewall and Virus detection, changed the windows
firwall,and diables the service [ack 2 patches.

I am stuck with web-tv so I can't cut and paste.
i wouldn't anyway as I don't want to give a complete road map
on how to build and run this monster. But if
someone at microsoft is will to help us i would be more than glad to print
this mess out and mail it to them.
Look for a file regopt it gives the unattended file path.

There is a file BDMI which shows buildId=44NAheBLW1
and sets a something called TATOO_VER=61
I checked the Stmantec site and this seems to be a file for encripting text
into jpg files.
Anyone know for sure what it is and what it does?

I don't know what else to say but hope someone can help us get rid of this
thing.
Thanks

Create a bootable floppy on a known clean machine.
Boot from that and run the level low format tool from your harddisk vendor -
there is no way for anything to survive that.
then boot from the opertaing CD (know to be clean) and reinstall your OS.
Any further infection is caused by external infection or you're using
infected media or restoring infected data.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

Mike,

Anyway to boot of a XP setup disk and break into a command prompt to insure
it isn't reading a unattend file? Or force a setup wipe everything (format
in setup doesn't work)?

Great suggestion on the low-level, unfortunatley since nothing detects this
"problem" I have no way to know if I have a clean disk. I initally went to
Kinko's to download tools, but am no wondering if my current issues are from
Kinko's....either viral or strange group policy settings. And, even if I
could get a clean floppy, it appears to infect the DMI so prevents doing
anything to the disk....formats don't work (although maybe the hardware guys
can do something directly and I will try it).

Other information for any that care:
Delete partition through setup (and create a new, different size partition)
doesn't work (log files dated from before installation). Seems to be
"mirrored" somewhere. Did find references to a "SunDisk" shadow??

Uses Performance Counters, Speech interface, SWflash, Media Encoding, .NET,
java and VSB. Looks like it runs Internet 4.0.

Boots a "SR" service which seems to restore everything to the initial image.

I think it encodes data with media encoding both to hide and to issue
"speech" commands.

Have "run into" a few websites that cause the browser to spit back a screen
about my own configuration, i.e. PSP install details, listing server details
which includes my IP. MS site failed because of my "web.config" which has
set to "remote only", among other things (haven't been able to find this
"web.config").

well...pulling out my hair! While this is definately sophistocated, it isn't
technically difficult, so surprised no one seems to have heard or seen
anything like this.

Please add anything if anyone knows anything about this!

To make any headway with this thing you are going to have to take back
ownership of the files. It changes the registry completely.
There is a software program inside it called ICE; it's a do not install file.

It's a backdoor worm that changes the system files and registry. It runs
through Real tech file. Go into services and turn off the sound. on both the
local and extended.
Once you turn off the sound you can access some of the files that keep
telling you it is being used by another program.

I'll tell you there is no easy fix for this one. It replaces all the drivers
with it's own driver files. All Legacy

There is hardly anything left of the original registry.
The worm is hidden in the PC-Doctor files to begin with but it looks like it
has replicated itself in several different file.. It's the service that is
running as a user.
In the Permissions it is listed as a user with a long number that is
preceeded by the letter "S".
It also has a backup restore file with asr keys Not to restore, files not to
back up, keys not to restore.
It has a file named Biosinfo, cmos handler, a boot verification program,
something called Hall C state Hacks.

there is a file named "secrets" that has all there passwords. Five preset
users come with the worm.

If your worm is not a later version of the one I have the same passwords
might be in it;
CupdTime
CurrVal
OldVal
OupdTime
SecDesc

Looks like the first one has the most access.

I don't know if you can see my post or not.

If so, a reply would be nice.

Mike,

Software loaded;
Adobe
Agere
Apple Computer, Inc.
Avance
BackWeb
CO7ft5Y
Classes
Clients
Detto Technologies Inc.
Gemplus
Genesys Logic
HP
Ice
InstallShield
INTEL
InterMute
InterVideo
JavaSoft
L&H
Lead Technologies
Microsoft
MicroVision
Motive
MozillaPlugins
muvee Technologies
ODBC
PC-Doctor
Polices
Python
RealNetworks
Realtec
S3
Schlumberger
Secure
Sonic
Symantic
Wilson WindowWare
Windows 3.1 Migration Status
Xing Technology Corp.


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums....urity/200507/1

Sorry, this web-tv browser dosen't let me see what i have written ubtil it's
posted.
Correction; The "Shells" in the regs are for the Local machine. It is set up
with facia from XP both home and Pro , Millenium and 98.
It seems to have the ability to pick up the facia of what ever od the victims
machine is running.


Mike,

I can't re-install os as it won't recognise the cdrom.
It keeps re-installing from the partition. Regs set up which disallow the
format to wipe the partition. It is in protected storage regs.
Partition is set up with persistent regs which it won't allow me to delete.
Thanks


--
Message posted via WindowsKB.com
http://www.windowskb.com/Uwe/Forums....urity/200507/1