Re: HELP! Terminal Service Trojan??


Thank you for the reply.

Unfortunately I am on the cusp of being out of steam to continue
persuing this anymore. As far as which tools I've tried I'd have to
respond..All of them. I have honestly tried every thing I can think of
so far but it's no good. I beleive that all of my Bart disks were
probably infected so I've never really had a clean environment to work
with in the first place.

My last hoorah attempts in obtaining a clean environment went like
this.

Backed up all my data on a 500gb usb drive.
Used Bart's Boot N Nuke with the DoD optioon.
Removed CMOS battery for an hour.
Installed Windows from factory CD.

No good!

Pulled CMOS battery again.
Went out and bought a new drive.
Disconnected old drives completely.
Disconnected all but monitor, ps2 KB & mouse.
Replace battery.
Set BIOS from scratch
Booted and installed from factory CD again.

No Good!!!

Last attempt went like this.
Installed NLite.
Used autopatcher to slipstream latest patches.
Unchecked every option in NLite that I thoght I could get away with.
Installed Nlite version.
(This option seems to have at least crippled the trojan in the amount
of software it was able to install on my machine though it still
managed to install SQL server again.)

Upon first boot I installed Kerio 2.15 and it seems to be catching some
of the attempts to "call home" when I connect to the web. It tried to
pull windows updates from a redirecteded unknown.xeex.net for instance.
It also was trying to communicate with a private IP which I assume is
yet another zombie.

Well now that I have such a small footprint on my drive I re-ran all
the virus scanners yet again with most of them finishing in less than 5
minutes. I ran the ones I could from the BARTPE disk though not all of
them work completely like that so I ran the others in RescueMe or safe
mode. I also ran all of the spyware blaster type programs to avail.
Lastly I made a Knoppix CD and ran F-Prot from a Linux environment but
still nada.

The list of Antivirus progs I've tried:
Antivir - Avast - Sophos - McCaffee - Comodo - Kaspersky (AOL ver) -
F-Prot - ClamWin - AVG - Trend Micro - DrWeb - Maybe others I forgot.


The list for spyware detection software I ran is just as comprehensive
so I won't list them. I am afraid to try any web based scans as they
all require IE with ActiveX enabled and I believe I would be
compromised further enabling that functionality.

I ran what I could via Bart or ResueMe within Bart but no joy. In their
defence they did find a buch of viri when I first started this but I
believe I have this last Worm/Virus/Trojan narrowed down but it refuses
to be identified.

I have also run every rootkit detector I could get my hands on but...
The last malware I did catch was only seen by System Virginity Verifier
but it doesn't actually tell you what the malware is.

Now, the real question remains....
Where is this thing living? I can understand that all of my machines
were compromised before I began, making it near impossible to work from
a clean environment but my attempt involving a new drive should have
worked unless it lives somwhere inside my BIOS or video card memory.
What baffles me is all the research I've done basically says that no
one has managed to make a virus with those capabilities yet. (Black Hat
has a proof of concept BIOS rootkit supossedly) That there are only a
few out there that deal with the BIOS at all and all they do is
manipulate it or destroy it but never live and survive there. So what
does this mean?

Well anyway...I'm not sure how much steam I have left for this thing. I
guess I'll go post a HiJack this log somewhere and see if anyone can
figure it out but that log never shows anything fishy that I can see.
Once again, thanks for your reply and I did pick up some useful tips
from your post that I might try out as well. I just wish this thing was
better documented so I knew more what to look for but it seems I have
some home-made strain that just isn't wide spread enough.


Best Regards,
Eidolen


--
eidolen
------------------------------------------------------------------------
eidolen's Profile: http://forums.techarena.in/member.php?userid=24457
View this thread: http://forums.techarena.in/showthread.php?t=232567

http://forums.techarena.in

.

Relevant Pages

  • Re: Need help with an ASUS K8S-LA in a Compaq SR1365CL
    ... One thing that I noticed was that the SATA was not recognized, or, perhaps better stated, that it couldn't be mounted in Knoppix. ... Does the fact that the PC will boot Knoppix from CD and work mean that both the motherboard and the BIOS chip are okay? ... I learned this by trial and error while trying different type drives and connecting them to the various IDE or SATA connections on the motherboard. ... I'm still at a loss at understanding why the PC won't work or let me install Windows XP Home again. ...
    (alt.comp.periphs.mainboard.asus)
  • Re: XP Installation Failure
    ... called 48 bit LBA mode of operation for IDE interface). ... to use the latest BIOS available as one solution. ... install cannot go past the 33GB mark. ... And hopefully, also supports big drives. ...
    (microsoft.public.windowsxp.general)
  • Re: What on earth is happening - long
    ... Report Back. ... I had all the latest bios updates and driver files ... >> drives, which XP would recognise. ... >> board on bootup and when he tried to install XP, ...
    (microsoft.public.windowsxp.basics)
  • Re: Motherboard seemed to kill disk drives, wasnt PSU, cables, disk
    ... >> didn't mean to offend anyone, ... >what are the hd options in the bios? ... >also what EXACTLY occurs when the driveS stop working? ... fedora automatic desktop install fails, ...
    (comp.sys.ibm.pc.hardware.misc)
  • Re: RAID Setup and DP35DP?
    ... Is there any option in the BIOS regarding floppy drives? ... install process is now dead to the install process. ...
    (comp.sys.intel)