RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk

From: SRGriffin (SRGriffin_at_discussions.microsoft.com)
Date: 04/18/05 

Date: Mon, 18 Apr 2005 03:45:01 -0700

Here are a few more details:

On a compaq laptop I took apart to replace the DVD Drive, among other things
(Bought it new from Circuit City).

Ghost Wipe the drive, then loaded the OS image with the Compaq restore
disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security 2005,
Partition Commander 9, Fix-it Utilities. Renamed or deleted directories
containing any .Cab files or other possible installation sources. Cleaned
registry with "fix-it" default, safe settings.

Connected to direct internet connection to get updates and then
disconnected....

One of the updates automatically downloaded...Virtual PC Update!??

Hidden devices in control panel include: ACPI-Complient Embedded Controller;
AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload, EABFilter,
Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize some might
be XP standard ???

SQL Server and ISS appear to be install, but can't update them. IE 4.0 gets
installed and IEAK.

All computers have registry settings for:
Key Name: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ\0818\06040000
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
  Name: 00000000
  Type: REG_BINARY
  Data: <<Nearly 10kb in data follow>>

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port
0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
  Name: Identifier
  Type: REG_SZ
  Data: FUJITSU MHR2030AT

Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
Abstraction Layer\ACPI Compatible Eisa/Isa HAL
Class Name: <NO CLASS>
Last Write Time: 4/17/2005 - 5:10 PM
Value 0
  Name: .Raw
  Type: REG_RESOURCE_LIST
  Data:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTable.ComServersTable.1\CLSID
  Data: {7B3125F4-F14D-11D1-BE0C-000000000000}
HLM\System\CurrentControlSet\Services\Abiosdsk
HLM\System\CurrentControlSet\Services\basic2\enum\0
HLM\System\CurrentControlSet\Services\Cnxtdiag\Enum\0
HLM\System\CurrentControlSet\Services\dmadmin\
HLM\System\CurrentControlSet\Services\dmboot\
HLM\System\CurrentControlSet\Services\dmio\
HLM\System\CurrentControlSet\Services\EABFilter --> image:
\??\C:\WINDOWS\System32\drivers\EABFiltr.sys
HLM\System\CurrentControlSet\Services\MSPQM --> image:
system32\drivers\MSPQM.sys
HLM\System\CurrentControlSet\Services\MRxDAV\EncryptedDirectories\
HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer Server
HLM\System\CurrentControlSet\Services\P3\Enum\INITSTARTFAILED ---> 1 <<P4
System>>
HLM\System\CurrentControlSet\Services\Ql10wnt\Group\SCSI Miniport\
HLM\System\CurrentControlSet\Services\RASl2tp
HLM\System\CurrentControlSet\Services\RASMan
HLM\System\CurrentControlSet\Services\SharedAccess\Epoch\ <<<No Sharing
Enabled>>>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ --->xpsp2res.dll,-22019
HLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
HLM\System\CurrentControlSet\Services\Simbad
HLM\System\CurrentControlSet\Services\Sparrow\Parameters\PnpInterface\1 --> 1
HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Well Known
Guids\AppleTalk \IsoTp \McsXns
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\image ==> winrnr.dll
HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
HLM\SYSTEM\CurrentControlSet\Services\wuauserv\parameters\SerivceDll -->
wuauserv.dll
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1\

HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
...\Root
HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
....\filter..\FSFilter {cluster,compression,replication, top....}
HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks
HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages --> msv 1_0
HLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest --> 1
HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot ---> 1
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SFC\CommonFilesDir
\ProgramFilesDir
HLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Kmode
\Optional \Posix... \Windows
HLM\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType ---> WinNT
HLM\SYSTEM\CurrentControlSet\Control\Session
Manager\AppPatches\INSTSCR\ff060102c47b1f00040750db0100\e
    <<Notice Offset on Hard drive>>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume\1&30a96598&0&Signature24DA24D9Offset7E00Length6FC7C0200\Control

HLM\SOFTWARE\ATI Technologies\CDS\System\0
HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir

HCU\Software\Microsoft\IEAK
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
    HRZR_EHACNGU:::{20Q04SR0-3NRN-1069-N2Q8-08002O30309Q}
   HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
    HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
     HRZR_PGYPHNPbhag:pgbe
HCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012005041820050419

Partition Commander (scout) log: [small portion]
==============START OF PARTITION MANAGER ============
   Drive 0 (ATA) - Validated
     From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
                        Cylinders = 3648 Tracks = 255 Sectors/track = 63
     From controller: 27.944 GB Total sectors = 58605120
                        Cylinders = 16383 Tracks = 16 Sectors/track = 63
       HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n: NJ36T2915YRW
       Supports drive > 137 GB
       Features: power=yes, removable=no, fault-detect=yes, security=yes
(0009)
       Host protected area supported & enabled w/48-bit addr. (none used)
   Drive & --Starting-- ---Ending--- -------Sectors------- ---Size
in GB-- Clust
   Partition ID Sec Hd Cyl Sec Hd Cyl First Total Total
 Unused size Volume label
C: +0-0 07 1 1 0 63 254 1023 63 58605057 27.944
 FSv3.1 4K
    0-1 00 0 0 0 0 0 0 0 0 0
      - -
    0-2 00 0 0 0 0 0 0 0 0 0
      - -
    0-3 00 0 0 0 0 0 0 0 0 0
      - -
~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
      3) Media descriptor byte (never below F0h) F8
      4) Sectors per track (should match the disk) 63
      5) Tracks per cylinder (should match the disk) 255
      6) Total sectors from the partition entry 58605057
      7) Total sectors from boot (should match partition) 58605056
      8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
      9) File system ID "NTFS "
     10) Start of the MFT 804864
     11) Start of the MFT copy 2098486
     12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
     13) Clusters per index record (power of 2 or F4h for 4K) 01h
     14) Volume label ""

==========================END OF PARTITION MGR==========================

Any other thoughts or comments? Still working on getting server up to
manage these better....will that work with Home?

"SRGriffin" wrote:

> I have a small network of XP machines, mostly XP Home that appear to have an
> Sus installation that propages to them. It looks like it installs an NT or
> 2000 headless boot (maybe XP embedded??) and gives me remote desktop that
> looks exactly like XP, but has a lot of strange behavior (Looks like NT or
> 2000 is installed, all devices are legacy, network traffic is forwarded from
> loopback to "host", don't seem too have full permissions, etc.)
>
> I've been trying to figure this one out for months and keep thinking I'm
> just paranoid. Not being an XP expert (silicon and systems design) it took
> me awhile to find all the pieces I'm still sorting out.
>
> I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
> be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
> give me what's really on them or "read them". Downloaded packages are
> "signed". but the time stamp is off by a year or more, and they contain
> things they shouldn't.
>
> The USB drivers I downloaded from ViaForum are filled with QFE fills for
> instance.
>
> Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
> stuff into the BIOS DMI).
>
> All virus scans and spyware come back negative, but have realized, at least
> in some cases, it either kills the app I started (Norton 2005) and starts an
> older version (Norton 2002) or else it scans a clean part of the disk only.
> (There's some disk space I can't access and found some code that looked like
> it would return a "sector error" w/o the key).
>
> I know this sounds like the ultimate paranoid delusion, but I'm sure it's
> there. Although to be fair, until December when this first started to become
> obvious, my security inside the firewall was pretty terrible. Since I had
> tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
> -- it's possible someone or some program had a lot of time to set all this
> stuff up. I also had 2003 server on the network, just to install (and
> thought I had remove all the others from the network), and could have done
> something then..although nothing intentional and certainly not too the extent
> that I see (Like NT/2000 files).
>
> My first question is: What's the cleanest way to remove SuS and get the
> correct CAT files back and being referenced on XP Home? (SFC scan asks for a
> 2000 disk, which I obviously don't have).
>
> Second question: While this may be just be, I've seen similar behavior on
> friends computers (although they've all had some sort of contact with my
> environment). Is there a quick way to detect SuS and some boot server
> running?
>
> Last Question: Anyone EVER heard of this? Is this a know issue I just
> haven't been able to find anything about?
>
> I'm happy to share bunches of data with anyone that wants it (or thinks I'm
> just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
> back up and fix them through group and local policy changes, but it would be
> nice if there was an easier fix.
>
> Regards,
> SRGriffin

Relevant Pages