From: SRGriffin on
I'll try to be brief and follow-up with a few more details in "reply" posting.

It seems I have a trojan (or something...??) that I can't get rid of with a
disk wipe.

Why do I think I think I have a trojan?
General weird behavior, admins don't have permission for everything,
autoupdate doesn't always work, downloads appear to be "filtered" and
replaced (certificates on downloads invalid, wrong files, etc.), viirus
software is removed, weird port activity, and unfamilar "options" in software
installed.

Setup Process:
=================
Ghost &/or diskpartition secure disk wipe
Install XP Home w/ two user accounts
Install XP SP2 from MS disk (got in snail mail)
Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
Set Passwords for all accounts including Administrator (using net cmd)
Connect to Internet (through switch & firewalled gateway-->most ports blocked)
Get all latest Updates
Install Office 2003 Pro and get updates
(also tried various changes to this process including bios/cmos resets)
"Scans" are clean w/ software, internet website scans, and adaware/hotbot
(believe TS scanned, not host)

Results:
=========
PC appears to be added to a domain w/ AD. Users are <computername>\user
Registry has Sidebyside .NET installations
Templates and other components, like games, can't be removed through control
panel settings
Browser cache is "encrypted" and isn't removed through disk clean up or
"clear cache"

IME-chinese&japanese installed
IEAK installed

All devices are "legacy" and IDE is installed as SCSI


Boot partition is set to: \device\harddrive1\
Most hive files saved to: \device\harddrive1\ -- nothing in
c:\windows\system32\config\

Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
"CD_burning"

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\cdrom mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
binary data indicates \??\genfloppy mounted on
"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Registry has HLM->system->Setup key with "allowstart" for
AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl

Safemode looks like there are chinese or japanese characters in the corner

Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
altered ACPI values?]

and logs like: TSCOS.LOG

Here's a snip-it
++++++++++++++++++++++++++++++++++

*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free

hydraoc.cpp(188)Entering OC_PREINITIALIZE
hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1


hydraoc.cpp(188)Entering OC_INIT_COMPONENT
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
state.cpp(1006)Setup Parameters ****************************
state.cpp(1007)We are running on Wks
state.cpp(1008)Is this adv server No
state.cpp(1009)Is this Personal (Home Edition) Yes
state.cpp(1010)Is this SBS server No
state.cpp(1011)IsStandAloneSetup = No
state.cpp(1012)IsFreshInstall = Yes
state.cpp(1013)IsTSFreshInstall = Yes
state.cpp(1014)IsUnattendSetup = No
state.cpp(1015)IsUpgradeFromTS40 = No
state.cpp(1016)IsUpgradeFromNT50 = No
state.cpp(1017)IsUpgradeFromNT51 = No
state.cpp(1018)IsUnattended = No
state.cpp(1020)Original State ******************************
state.cpp(1021)WasTSInstalled = No
state.cpp(1022)WasTSEnabled = No
state.cpp(1023)OriginalPermMode = WIN2K
state.cpp(1037)Original TS Mode = TS Disabled
state.cpp(1050)Current State ******************************
state.cpp(1065)New TS Mode = Personal TS
state.cpp(1075)New Permissions Mode = PERM_WIN2K
state.cpp(1084)New Connections Allowed = False
hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0

hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0

hydraoc.cpp(188)Entering OC_QUERY_STATE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
SubcompOff
hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2

hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
= <TerminalServices.FreshInstall.pro>
subcomp.cpp(172)Calculating disk space for add section =
TerminalServices.FreshInstall.pro
hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I have lots more data!

Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
Some weird Microsoft copy protection gone bad (desktop not yet validated
since I keep rebuilding....laptop shouldn't be an issue)

From: SRGriffin on

A few more details:

I think that this "thing" sits on a system partition it hijacks during setup
and then never tells the OS setup is finished so the system partition never
gets erased.

It is clearly also doing a system restore or backup at every boot to make
sure it comes back.

It also seems to create a shadow copy of itself. The OS reports I run out of
space for ocassional updates, when everything says I have 25+ gigs.

A number of the controls appear to be either java or .net "copies".

Communicates w/ pipes. Sets up a web sever as evidence by the inetsrv folder
in c:\windows (unless that's an office thing). Seems to "encode" data into
media streams and use ADO. Setups updates services so the "terminal os" gets
patched versions of updates or doesn't install them (or uninstalls them).
Disables motherboard devices through invalid updates with smbios...maybe
firmware, which did ables any ability to boot first or get to the cmos on
some systems.

Caches software and then runs it through a host3g.dll or similar and looks
like it uses the processor performance counters to monitor things.

If your successful in getting the system partition removed, then you've also
removed your registry so it wont boot.

Creates $winnt$.inf where I think it may mount from??

I know this sounds a bit paranoid, but I have all the data....after months!
of banging my head.

please let me know if this is all really legit so I can stop looking at
this!!:)
From: Mike Brannigan [MSFT] on
"SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message
news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com...
> I'll try to be brief and follow-up with a few more details in "reply"
> posting.
>
> It seems I have a trojan (or something...??) that I can't get rid of with
> a
> disk wipe.
> ...

If you believe you have something on your disk that is surviving a "disk
wipe" (this really depends on what you think you are doing and how you are
doing this) - then low level format the entire disk (you do this at your own
risk and must follow the manufacturers instruction for this process).

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message
news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com...
> I'll try to be brief and follow-up with a few more details in "reply"
> posting.
>
> It seems I have a trojan (or something...??) that I can't get rid of with
> a
> disk wipe.
>
> Why do I think I think I have a trojan?
> General weird behavior, admins don't have permission for everything,
> autoupdate doesn't always work, downloads appear to be "filtered" and
> replaced (certificates on downloads invalid, wrong files, etc.), viirus
> software is removed, weird port activity, and unfamilar "options" in
> software
> installed.
>
> Setup Process:
> =================
> Ghost &/or diskpartition secure disk wipe
> Install XP Home w/ two user accounts
> Install XP SP2 from MS disk (got in snail mail)
> Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
> Assoc)
> Set Passwords for all accounts including Administrator (using net cmd)
> Connect to Internet (through switch & firewalled gateway-->most ports
> blocked)
> Get all latest Updates
> Install Office 2003 Pro and get updates
> (also tried various changes to this process including bios/cmos resets)
> "Scans" are clean w/ software, internet website scans, and adaware/hotbot
> (believe TS scanned, not host)
>
> Results:
> =========
> PC appears to be added to a domain w/ AD. Users are <computername>\user
> Registry has Sidebyside .NET installations
> Templates and other components, like games, can't be removed through
> control
> panel settings
> Browser cache is "encrypted" and isn't removed through disk clean up or
> "clear cache"
>
> IME-chinese&japanese installed
> IEAK installed
>
> All devices are "legacy" and IDE is installed as SCSI
>
>
> Boot partition is set to: \device\harddrive1\
> Most hive files saved to: \device\harddrive1\ -- nothing in
> c:\windows\system32\config\
>
> Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
> to
> "CD_burning"
>
> HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
> \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
> binary data indicates \??\cdrom mounted on
> "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
> binary data indicates \??\genfloppy mounted on
> "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>
> Registry has HLM->system->Setup key with "allowstart" for
> AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>
> Safemode looks like there are chinese or japanese characters in the corner
>
> Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
> altered ACPI values?]
>
> and logs like: TSCOS.LOG
>
> Here's a snip-it
> ++++++++++++++++++++++++++++++++++
>
> *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
> *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>
> hydraoc.cpp(188)Entering OC_PREINITIALIZE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
> hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>
>
> hydraoc.cpp(188)Entering OC_INIT_COMPONENT
> hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> state.cpp(1006)Setup Parameters ****************************
> state.cpp(1007)We are running on Wks
> state.cpp(1008)Is this adv server No
> state.cpp(1009)Is this Personal (Home Edition) Yes
> state.cpp(1010)Is this SBS server No
> state.cpp(1011)IsStandAloneSetup = No
> state.cpp(1012)IsFreshInstall = Yes
> state.cpp(1013)IsTSFreshInstall = Yes
> state.cpp(1014)IsUnattendSetup = No
> state.cpp(1015)IsUpgradeFromTS40 = No
> state.cpp(1016)IsUpgradeFromNT50 = No
> state.cpp(1017)IsUpgradeFromNT51 = No
> state.cpp(1018)IsUnattended = No
> state.cpp(1020)Original State ******************************
> state.cpp(1021)WasTSInstalled = No
> state.cpp(1022)WasTSEnabled = No
> state.cpp(1023)OriginalPermMode = WIN2K
> state.cpp(1037)Original TS Mode = TS Disabled
> state.cpp(1050)Current State ******************************
> state.cpp(1065)New TS Mode = Personal TS
> state.cpp(1075)New Permissions Mode = PERM_WIN2K
> state.cpp(1084)New Connections Allowed = False
> hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>
> hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
> hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>
> hydraoc.cpp(188)Entering OC_QUERY_STATE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
> SubcompOff
> hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>
> hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
> hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
> subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
> section
> = <TerminalServices.FreshInstall.pro>
> subcomp.cpp(172)Calculating disk space for add section =
> TerminalServices.FreshInstall.pro
> hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> I have lots more data!
>
> Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
> Some weird Microsoft copy protection gone bad (desktop not yet validated
> since I keep rebuilding....laptop shouldn't be an issue)
>


From: SRGriffin on
I guess what I mean to say is that it survives the "process" of a diskwipe.
(A wiskwipe meaning a DOD diskwipe in Ghost and a Secure erase is
diskpartition). So either, something is booting off the disk and redirecting
IO or there is something in flash memory somewhere that comes back or some
combination.

So since this isn't some know MS thing, I'll start posting more liberally
around the web to see what I can find.

Anyway to verify my observations?

"Mike Brannigan [MSFT]" wrote:

> "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message
> news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com...
> > I'll try to be brief and follow-up with a few more details in "reply"
> > posting.
> >
> > It seems I have a trojan (or something...??) that I can't get rid of with
> > a
> > disk wipe.
> > ...
>
> If you believe you have something on your disk that is surviving a "disk
> wipe" (this really depends on what you think you are doing and how you are
> doing this) - then low level format the entire disk (you do this at your own
> risk and must follow the manufacturers instruction for this process).
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "SRGriffin" <SRGriffin(a)discussions.microsoft.com> wrote in message
> news:F902D053-40D2-4264-AC12-332FB95F44C6(a)microsoft.com...
> > I'll try to be brief and follow-up with a few more details in "reply"
> > posting.
> >
> > It seems I have a trojan (or something...??) that I can't get rid of with
> > a
> > disk wipe.
> >
> > Why do I think I think I have a trojan?
> > General weird behavior, admins don't have permission for everything,
> > autoupdate doesn't always work, downloads appear to be "filtered" and
> > replaced (certificates on downloads invalid, wrong files, etc.), viirus
> > software is removed, weird port activity, and unfamilar "options" in
> > software
> > installed.
> >
> > Setup Process:
> > =================
> > Ghost &/or diskpartition secure disk wipe
> > Install XP Home w/ two user accounts
> > Install XP SP2 from MS disk (got in snail mail)
> > Install Norton Internet Security 2005 (also tried TrendMicro & Comp.
> > Assoc)
> > Set Passwords for all accounts including Administrator (using net cmd)
> > Connect to Internet (through switch & firewalled gateway-->most ports
> > blocked)
> > Get all latest Updates
> > Install Office 2003 Pro and get updates
> > (also tried various changes to this process including bios/cmos resets)
> > "Scans" are clean w/ software, internet website scans, and adaware/hotbot
> > (believe TS scanned, not host)
> >
> > Results:
> > =========
> > PC appears to be added to a domain w/ AD. Users are <computername>\user
> > Registry has Sidebyside .NET installations
> > Templates and other components, like games, can't be removed through
> > control
> > panel settings
> > Browser cache is "encrypted" and isn't removed through disk clean up or
> > "clear cache"
> >
> > IME-chinese&japanese installed
> > IEAK installed
> >
> > All devices are "legacy" and IDE is installed as SCSI
> >
> >
> > Boot partition is set to: \device\harddrive1\
> > Most hive files saved to: \device\harddrive1\ -- nothing in
> > c:\windows\system32\config\
> >
> > Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached"
> > to
> > "CD_burning"
> >
> > HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
> > \??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
> > binary data indicates \??\cdrom mounted on
> > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> > \??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
> > binary data indicates \??\genfloppy mounted on
> > "stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
> >
> > Registry has HLM->system->Setup key with "allowstart" for
> > AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
> >
> > Safemode looks like there are chinese or japanese characters in the corner
> >
> > Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
> > altered ACPI values?]
> >
> > and logs like: TSCOS.LOG
> >
> > Here's a snip-it
> > ++++++++++++++++++++++++++++++++++
> >
> > *******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
> > *******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
> >
> > hydraoc.cpp(188)Entering OC_PREINITIALIZE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
> > hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
> >
> >
> > hydraoc.cpp(188)Entering OC_INIT_COMPONENT
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> > state.cpp(1006)Setup Parameters ****************************
> > state.cpp(1007)We are running on Wks
> > state.cpp(1008)Is this adv server No
> > state.cpp(1009)Is this Personal (Home Edition) Yes
> > state.cpp(1010)Is this SBS server No
> > state.cpp(1011)IsStandAloneSetup = No
> > state.cpp(1012)IsFreshInstall = Yes
> > state.cpp(1013)IsTSFreshInstall = Yes
> > state.cpp(1014)IsUnattendSetup = No
> > state.cpp(1015)IsUpgradeFromTS40 = No
> > state.cpp(1016)IsUpgradeFromNT50 = No
> > state.cpp(1017)IsUpgradeFromNT51 = No
> > state.cpp(1018)IsUnattended = No
> > state.cpp(1020)Original State ******************************
> > state.cpp(1021)WasTSInstalled = No
> > state.cpp(1022)WasTSEnabled = No
> > state.cpp(1023)OriginalPermMode = WIN2K
> > state.cpp(1037)Original TS Mode = TS Disabled
> > state.cpp(1050)Current State ******************************
> > state.cpp(1065)New TS Mode = Personal TS
> > state.cpp(1075)New Permissions Mode = PERM_WIN2K
> > state.cpp(1084)New Connections Allowed = False
> > hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
> >
> > hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
> > hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
> >
> > hydraoc.cpp(188)Entering OC_QUERY_STATE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> > hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
> > SubcompOff
> > hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
> >
> > hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
> > hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
> > subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
> > subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual
> > section
> > = <TerminalServices.FreshInstall.pro>
> > subcomp.cpp(172)Calculating disk space for add section =
> > TerminalServices.FreshInstall.pro
> > hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
> > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >
> > I have lots more data!
> >
> > Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
> > Some weird Microsoft copy protection gone bad (desktop not yet validated
> > since I keep rebuilding....laptop shouldn't be an issue)
> >
>
>
>
From: Merna E via WindowsKB.com on
SRGriffin wrote:
>I'll try to be brief and follow-up with a few more details in "reply" posting.
>
>It seems I have a trojan (or something...??) that I can't get rid of with a
>disk wipe.
>
>Why do I think I think I have a trojan?
>General weird behavior, admins don't have permission for everything,
>autoupdate doesn't always work, downloads appear to be "filtered" and
>replaced (certificates on downloads invalid, wrong files, etc.), viirus
>software is removed, weird port activity, and unfamilar "options" in software
>installed.
>
>Setup Process:
>=================
>Ghost &/or diskpartition secure disk wipe
>Install XP Home w/ two user accounts
>Install XP SP2 from MS disk (got in snail mail)
>Install Norton Internet Security 2005 (also tried TrendMicro & Comp. Assoc)
>Set Passwords for all accounts including Administrator (using net cmd)
>Connect to Internet (through switch & firewalled gateway-->most ports blocked)
>Get all latest Updates
>Install Office 2003 Pro and get updates
>(also tried various changes to this process including bios/cmos resets)
>"Scans" are clean w/ software, internet website scans, and adaware/hotbot
>(believe TS scanned, not host)
>
>Results:
>=========
>PC appears to be added to a domain w/ AD. Users are <computername>\user
>Registry has Sidebyside .NET installations
>Templates and other components, like games, can't be removed through control
>panel settings
>Browser cache is "encrypted" and isn't removed through disk clean up or
>"clear cache"
>
>IME-chinese&japanese installed
>IEAK installed
>
>All devices are "legacy" and IDE is installed as SCSI
>
>Boot partition is set to: \device\harddrive1\
>Most hive files saved to: \device\harddrive1\ -- nothing in
>c:\windows\system32\config\
>
>Floppy and CD-Rom are mounted to hard drive (I think). CD-Rom is "cached" to
>"CD_burning"
>
>HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
>\??\Volume{317fd9f1-e117-11d9-9ee5-806d6172696f}
>binary data indicates \??\cdrom mounted on
>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>\??\Volume{317fd9f2-e117-11d9-9ee5-806d6172696f}
>binary data indicates \??\genfloppy mounted on
>"stuff"0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
>
>Registry has HLM->system->Setup key with "allowstart" for
>AFD/Dcomlaunch/rpcss/protectedstorage/eventlog/plugplay/sacsvr/samss/ws2ifsl
>
>Safemode looks like there are chinese or japanese characters in the corner
>
>Laptop AGP Apeture mem is set to start at: F8000000 <--boot [desktop has
>altered ACPI values?]
>
>and logs like: TSCOS.LOG
>
>Here's a snip-it
>++++++++++++++++++++++++++++++++++
>
>*******Initializing Message Log:tsoc.dll 06/19/05 23:11:00
>*******Version:Major=5, Minor=1, Build=2600, PlatForm=2, CSDVer=, Free
>
>hydraoc.cpp(188)Entering OC_PREINITIALIZE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=?????????A
>hydraoc.cpp(297)OC_PREINITIALIZE Done. Returning 1
>
>hydraoc.cpp(188)Entering OC_INIT_COMPONENT
>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>state.cpp(1006)Setup Parameters ****************************
>state.cpp(1007)We are running on Wks
>state.cpp(1008)Is this adv server No
>state.cpp(1009)Is this Personal (Home Edition) Yes
>state.cpp(1010)Is this SBS server No
>state.cpp(1011)IsStandAloneSetup = No
>state.cpp(1012)IsFreshInstall = Yes
>state.cpp(1013)IsTSFreshInstall = Yes
>state.cpp(1014)IsUnattendSetup = No
>state.cpp(1015)IsUpgradeFromTS40 = No
>state.cpp(1016)IsUpgradeFromNT50 = No
>state.cpp(1017)IsUpgradeFromNT51 = No
>state.cpp(1018)IsUnattended = No
>state.cpp(1020)Original State ******************************
>state.cpp(1021)WasTSInstalled = No
>state.cpp(1022)WasTSEnabled = No
>state.cpp(1023)OriginalPermMode = WIN2K
>state.cpp(1037)Original TS Mode = TS Disabled
>state.cpp(1050)Current State ******************************
>state.cpp(1065)New TS Mode = Personal TS
>state.cpp(1075)New Permissions Mode = PERM_WIN2K
>state.cpp(1084)New Connections Allowed = False
>hydraoc.cpp(297)OC_INIT_COMPONENT Done. Returning 0
>
>hydraoc.cpp(188)Entering OC_EXTRA_ROUTINES
>hydraoc.cpp(189)Component=terminalserver, SubComponent=(null)
>hydraoc.cpp(297)OC_EXTRA_ROUTINES Done. Returning 0
>
>hydraoc.cpp(188)Entering OC_QUERY_STATE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>hydraoc.cpp(704)Query State Asked For terminalserver, Original. Returning
>SubcompOff
>hydraoc.cpp(297)OC_QUERY_STATE Done. Returning 2
>
>hydraoc.cpp(188)Entering OC_CALC_DISK_SPACE
>hydraoc.cpp(189)Component=terminalserver, SubComponent=terminalserver
>subcomp.cpp(153)In OCMSubComp::OnCalcDiskSpace for TerminalServices
>subcomp.cpp(109)sectionname = <FreshInstallSection.pro.x86>, actual section
>= <TerminalServices.FreshInstall.pro>
>subcomp.cpp(172)Calculating disk space for add section =
>TerminalServices.FreshInstall.pro
>hydraoc.cpp(297)OC_CALC_DISK_SPACE Done. Returning 0
>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>I have lots more data!
>
>Anyone....ANYONE AT ALL...know what this is?? Is this know? Something new?
>Some weird Microsoft copy protection gone bad (desktop not yet validated
>since I keep rebuilding....laptop shouldn't be an issue)

--
First, you are not crackers. this is a very nasty bug that thankfully does
not seem to be widespread.
My sytem is infected with it also and I came here to find out how to get rid
of it.
As far as wiping the hard drive it doesn't work. I Have personaly increased
the value of Segate stock
because of this nasty bug.
there is a file called delete driver; called from a DODONt.bat
It removes your driver and repaces it with it's own driver which reinstalls
of oos
held in the upper memory of DOS.
I am trying to figure out how to get my driver back into DOS
Ithe delete driver command looks like this;
cd\
wdscript c:\hp\bin\waitAndDelete.jse "%1" /wait:1 //b
if exist "%1" rd /s /q "%1"




REM this file called