|
Posted by markholmes on April 29, 2006, 6:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
SRGriffin wrote:
> *Here are a few more details:
>
> On a compaq laptop I took apart to replace the DVD Drive, among other
> things
> (Bought it new from Circuit City).
>
> Ghost Wipe the drive, then loaded the OS image with the Compaq
> restore
> disks(4 CDs). Loaded SP2 from CD from MS. Loaded Norton Security
> 2005,
> Partition Commander 9, Fix-it Utilities. Renamed or deleted
> directories
> containing any .Cab files or other possible installation sources.
> Cleaned
> registry with "fix-it" default, safe settings.
>
> Connected to direct internet connection to get updates and then
> disconnected....
>
> One of the updates automatically downloaded...Virtual PC Update!??
>
> Hidden devices in control panel include: ACPI-Complient Embedded
> Controller;
> AFD Networking Support Environment; clntmgmt.sys, dmboot, dmload,
> EABFilter,
> Fallback, ksecdd, mnmdd, Fsks, RDPCDD, ParVdm.....more but realize
> some might
> be XP standard ???
>
> SQL Server and ISS appear to be install, but can't update them. IE
> 4.0 gets
> installed and IEAK.
>
> All computers have registry settings for:
> Key Name:
> HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\COMPAQ18040000
> Class Name: <NO CLASS>
> Last Write Time: 4/17/2005 - 5:10 PM
> Value 0
> Name: 00000000
> Type: REG_BINARY
> Data: <<Nearly 10kb in data follow>>
>
> Key Name: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi
> Port
> 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
> Class Name: <NO CLASS>
> Last Write Time: 4/17/2005 - 5:10 PM
> Value 0
> Name: Identifier
> Type: REG_SZ
> Data: FUJITSU MHR2030AT
>
> Key Name: HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Hardware
> Abstraction Layer\ACPI Compatible Eisa/Isa HAL
> Class Name: <NO CLASS>
> Last Write Time: 4/17/2005 - 5:10 PM
> Value 0
> Name: .Raw
> Type: REG_RESOURCE_LIST
> Data:
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ComServersTable.ComServersTable.1\CLSID
> Data:
> HLM\System\CurrentControlSet\Services\Abiosdsk
> HLM\System\CurrentControlSet\Services\basic2\enum
> HLM\System\CurrentControlSet\Services\Cnxtdiag\Enum
> HLM\System\CurrentControlSet\Services\dmadmin\
> HLM\System\CurrentControlSet\Services\dmboot\
> HLM\System\CurrentControlSet\Services\dmio\
> HLM\System\CurrentControlSet\Services\EABFilter --> image:
> \??\C:\WINDOWS\System32\drivers\EABFiltr.sys
> HLM\System\CurrentControlSet\Services\MSPQM --> image:
> system32\drivers\MSPQM.sys
> HLM\System\CurrentControlSet\Services\MRxDAV\EncryptedDirectories\
> HLM\System\CurrentControlSet\Services\MSIServer ---> MS Installer
> Server
> HLM\System\CurrentControlSet\Services\P3\Enum\INITSTARTFAILED ---> 1
> <<P4
> System>>
> HLM\System\CurrentControlSet\Services\Ql10wnt\Group\SCSI Miniport\
> HLM\System\CurrentControlSet\Services\RASl2tp
> HLM\System\CurrentControlSet\Services\RASMan
> HLM\System\CurrentControlSet\Services\SharedAccess\Epoch\ <<<No
> Sharing
> Enabled>>>
>
HLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\
> --->xpsp2res.dll,-22019
>
HLM\System\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
> HLM\System\CurrentControlSet\Services\Simbad
> HLM\System\CurrentControlSet\Services\Sparrow\Parameters\PnpInterface
> --> 1
> HLM\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Well
> Known
> Guids\AppleTalk \IsoTp \McsXns
>
HLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries0000000002\image
> ==> winrnr.dll
> HLM\SYSTEM\CurrentControlSet\Services\wmiApSrv
> HLM\SYSTEM\CurrentControlSet\Services\wuauserv\parameters\SerivceDll
> -->
> wuauserv.dll
>
HLM\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\http://tinyurl.com/e8zax
>
> HLM\SYSTEM\CurrentControlSet\Control\Arbiters\BrokenMemAtF8...\BrokenVideo
> .....\Root
> HLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\base
> ......\filter..\FSFilter {cluster,compression,replication, top....}
> HLM\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks
> HLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages -->
> msv 1_0
> HLM\SYSTEM\CurrentControlSet\Control\Lsa\forceguest --> 1
> HLM\SYSTEM\CurrentControlSet\Control\Lsa\SecureBoot ---> 1
> HLM\SYSTEM\CurrentControlSet\Control\Session
> Manager\SFC\CommonFilesDir
> \ProgramFilesDir
> HLM\SYSTEM\CurrentControlSet\Control\Session
> Manager\SubSystems\Kmode
> \Optional \Posix... \Windows
> HLM\SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType --->
> WinNT
> HLM\SYSTEM\CurrentControlSet\Control\Session
> Manager\AppPatches\INSTSCR\ff060102c47b1f00040750db0100\e
> <<Notice Offset on Hard drive>>
>
HLM\SYSTEM\CurrentControlSet\Enum\STORAGE\Volume&30a96598&0&Signature24DA24D9Offset7E00Length6FC7C0200\Control
>
> HLM\SOFTWARE\ATI Technologies\CDS\System
> HLM\SOFTWARE\GIANTCompany\AntiSpyware\ <<MS AntiSpyWare>>
> HLM\SOFTWARE\ODBC\ODBC.INI\ODBC File DSN\DefaultDSNDir
>
> HCU\Software\Microsoft\IEAK
>
HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\\Count
> HRZR_EHACNGU:::
> HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\abgrcnq.rkr
> HRZR_EHACVQY:%pfvqy2%\Npprffbevrf\Abgrcnq.yax
> HRZR_PGYPHNPbhag:pgbe
> HCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings.0\Cache\Extensible Cache\MSHist012005041820050419
>
>
>
> Partition Commander (scout) log: [small portion]
> ==============START OF PARTITION MANAGER ============
> Drive 0 (ATA) - Validated
> From Windows (#0): 27.944 GB Total sectors = 58605120 (LBA -0)
> Cylinders = 3648 Tracks = 255 Sectors/track = 63
> From controller: 27.944 GB Total sectors = 58605120
> Cylinders = 16383 Tracks = 16 Sectors/track = 63
> HD-model: FUJITSU MHR2030AT (firmware 53BB) s/n:
> NJ36T2915YRW
> Supports drive > 137 GB
> Features: power=yes, removable=no, fault-detect=yes, security=yes
> (0009)
> Host protected area supported & enabled w/48-bit addr. (none used)
> Drive & --Starting-- ---Ending--- -------Sectors-------
> ---Size
> in GB-- Clust
> Partition ID Sec Hd Cyl Sec Hd Cyl First Total
> Total
> Unused size Volume label
> C: +0-0 07 1 1 0 63 254 1023 63 58605057
> 27.944
> FSv3.1 4K
> 0-1 00 0 0 0 0 0 0 0 0
> 0
> - -
> 0-2 00 0 0 0 0 0 0 0 0
> 0
> - -
> 0-3 00 0 0 0 0 0 0 0 0
> 0
> - -
> ~~~~~~~~~~~~~~~~~~ <<<Con't>> ~~~~~~~~~~
> 3) Media descriptor byte (never below F0h) F8
> 4) Sectors per track (should match the disk) 63
> 5) Tracks per cylinder (should match the disk) 255
> 6) Total sectors from the partition entry
> 58605057
> 7) Total sectors from boot (should match partition)
> 58605056
> 8) Extended signature (29h for FAT/FAT32, 80h for NTFS) 80
> 9) File system ID "NTFS
> "
> 10) Start of the MFT 804864
> 11) Start of the MFT copy
> 2098486
> 12) Clusters per MFT record (power of 2 or F6h for 1K) F6h
> 13) Clusters per index record (power of 2 or F4h for 4K) 01h
> 14) Volume label ""
>
> ==========================END OF PARTITION
> MGR==========================
>
> Any other thoughts or comments? Still working on getting server up
> to
> manage these better....will that work with Home?
>
>
> "SRGriffin" wrote:
>
> > I have a small network of XP machines, mostly XP Home that appear
> to have an
> > Sus installation that propages to them. It looks like it installs
> an NT or
> > 2000 headless boot (maybe XP embedded??) and gives me remote
> desktop that
> > looks exactly like XP, but has a lot of strange behavior (Looks
> like NT or
> > 2000 is installed, all devices are legacy, network traffic is
> forwarded from
> > loopback to "host", don't seem too have full permissions, etc.)
> >
> > I've been trying to figure this one out for months and keep
> thinking I'm
> > just paranoid. Not being an XP expert (silicon and systems design)
> it took
> > me awhile to find all the pieces I'm still sorting out.
> >
> > I'm DEFINATELY on a remote desktop, SuS is installed, MMC console
> appears to
> > be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected
> and don't
> > give me what's really on them or "read them". Downloaded packages
> are
> > "signed". but the time stamp is off by a year or more, and they
> contain
> > things they shouldn't.
> >
> > The USB drivers I downloaded from ViaForum are filled with QFE
> fills for
> > instance.
> >
> > Even a Ghost diskwipe doesn't seem to get everything (Thinking it
> writes
> > stuff into the BIOS DMI).
> >
> > All virus scans and spyware come back negative, but have realized,
> at least
> > in some cases, it either kills the app I started (Norton 2005) and
> starts an
> > older version (Norton 2002) or else it scans a clean part of the
> disk only.
> > (There's some disk space I can't access and found some code that
> looked like
> > it would return a "sector error" w/o the key).
> >
> > I know this sounds like the ultimate paranoid delusion, but I'm
> sure it's
> > there. Although to be fair, until December when this first started
> to become
> > obvious, my security inside the firewall was pretty terrible.
> Since I had
> > tons of development stuff -- compilers, VM Ware, bits of old OSes
> in archives
> > -- it's possible someone or some program had a lot of time to set
> all this
> > stuff up. I also had 2003 server on the network, just to install
> (and
> > thought I had remove all the others from the network), and could
> have done
> > something then..although nothing intentional and certainly not too
> the extent
> > that I see (Like NT/2000 files).
> >
> > My first question is: What's the cleanest way to remove SuS and get
> the
> > correct CAT files back and being referenced on XP Home? (SFC scan
> asks for a
> > 2000 disk, which I obviously don't have).
> >
> > Second question: While this may be just be, I've seen similar
> behavior on
> > friends computers (although they've all had some sort of contact
> with my
> > environment). Is there a quick way to detect SuS and some boot
> server
> > running?
> >
> > Last Question: Anyone EVER heard of this? Is this a know issue I
> just
> > haven't been able to find anything about?
> >
> > I'm happy to share bunches of data with anyone that wants it (or
> thinks I'm
> > just paranoid;). I'm currently thinking I'll be able to hook the
> 2003 server
> > back up and fix them through group and local policy changes, but it
> would be
> > nice if there was an easier fix.
> >
> > Regards,
> > SRGriffin *
--
markholmes
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message1024236.html
| 
XML site map