Hello,
First of all, any help is greatly appreciated.
I have posted to the virus group, but after many hours of investigating, this is certainly malicious code via programming - and I have seen references to C++ in the code - so I hope you can help.
Okay, here's the facts:
- I have machines running Win98, Win2000 Pro, and Windows XP that have malicious code running on them.
- Removing the hard drive and installing with a brand new one does not remove it - I know this joker is writing to BIOS and Video BIOS (if possible) as well.
- Norton, McAfee, and Black Ice see/detect nothing! When I do a search on Google, nothing comes back. However, when I do a netstat, connections are open. Likewise, when you go to open IE, and go to Microsoft, for example, you see redirect tags in the URL line.
- When I look at the code, I see all kinds of referrers to the BIOS and PNP.
- I can not delete all of the partitions. While FDISK only reports 1 parition, WinHex shows three partitions. Using WinHex, I see all sorts of files on the partitions.
Here is some of the lines from the autoexec, config, and a file called detlog.txt (all these files are from a Win98 Second Edition PC):
- Autoexec.bat
Echo off
Path=C:\windows;c:\windows\command;c:LH DOSKEY
C:\Essolo.com
- Config.sys
Device= C:\essolo.sys
Device= c:\windows\himem.sys
Device= C:\windows\emm386.exe RAM
DOS=High, UMB
- Detlog.txt
[System Detection: 08/23/99 - 11:51:13]
Parameters "J", Infparams "", Flags=01052023
SDMVer=040a.2222, WinVer=070E040E Build=040a.2222, WinFlag=00003c29
SkipList=
DetectList=
RegAvoidRes: UMB\0000
mem=cb5c0-cdedf (ffffffff:0:0)
RegAvoidRes: UMB\0001
mem=cdee0-cdfef (ffffffff:0:0)
RegAvoidRes: UMB\0002
mem=cdff0-cf23f (ffffffff:0:0)
RegAvoidRes: UMB\0003
mem=cf240-dffff (ffffffff:0:0)
LogCrash=crash log not found or invalid
LogCrash=crash log invalid
Estimated number of detection functions=350
Number of verify functions called=0
Previous OS version=0
Checking for: System Bus
CheckInt86xCrash=int 1a,AX=b101,rc=0
SetVar: PCIBUS
DetFlags: 40
Detected: *PNP0C08\0000 = [1] Advanced Configuration and Power Interface
SetVar: ACPBIOS=
Number of functions called=50
Devices detected:1
ConfigMG device=HTREE\RESERVED\0ConfigMG device=ROOT\NET\0000
ConfigMG device=ROOT\NET\0000:status=8000621
.
.
.
.
Checking for: Trident VGA Display Driver
QueryIOMem: Caller=DETECTTRIDENT, rcQuery=2
IO=3b0-3bb,3c0-3df
Last, these files are in C:\windows\command (and I know they do not belong):
cscript.exe 85k 11/5/99
pkunzip.exe 32k 1/24/94
sulfnbk.exe 44k 4/23/99
vide_cdd.sys 12k 3/3/99
xcopy32.mod 41k 4/23/99
Some files from C:\Windows\System
leshwiz.exe 76k 4/23/99
Inside Your Computer 38k (screen saver) 4/23/99
Internat.exe 28k 4/23/99
Lights.exe 48k 4/23/99
Leondardo da Vinci Screen Saver
I apologize if this is a bit scattered (or in the wrong group - if so - please point me to the right one); I have been working on this for weeks and am getting no where. If anyone can advise who can help, what language this joker is using, if there is a way to "break" the code, I'd greatly appreciate it.
Lo
First of all, any help is greatly appreciated.
I have posted to the virus group, but after many hours of investigating, this is certainly malicious code via programming - and I have seen references to C++ in the code - so I hope you can help.
Okay, here's the facts:
- I have machines running Win98, Win2000 Pro, and Windows XP that have malicious code running on them.
- Removing the hard drive and installing with a brand new one does not remove it - I know this joker is writing to BIOS and Video BIOS (if possible) as well.
- Norton, McAfee, and Black Ice see/detect nothing! When I do a search on Google, nothing comes back. However, when I do a netstat, connections are open. Likewise, when you go to open IE, and go to Microsoft, for example, you see redirect tags in the URL line.
- When I look at the code, I see all kinds of referrers to the BIOS and PNP.
- I can not delete all of the partitions. While FDISK only reports 1 parition, WinHex shows three partitions. Using WinHex, I see all sorts of files on the partitions.
Here is some of the lines from the autoexec, config, and a file called detlog.txt (all these files are from a Win98 Second Edition PC):
- Autoexec.bat
Echo off
Path=C:\windows;c:\windows\command;c:LH DOSKEY
C:\Essolo.com
- Config.sys
Device= C:\essolo.sys
Device= c:\windows\himem.sys
Device= C:\windows\emm386.exe RAM
DOS=High, UMB
- Detlog.txt
[System Detection: 08/23/99 - 11:51:13]
Parameters "J", Infparams "", Flags=01052023
SDMVer=040a.2222, WinVer=070E040E Build=040a.2222, WinFlag=00003c29
SkipList=
DetectList=
RegAvoidRes: UMB\0000
mem=cb5c0-cdedf (ffffffff:0:0)
RegAvoidRes: UMB\0001
mem=cdee0-cdfef (ffffffff:0:0)
RegAvoidRes: UMB\0002
mem=cdff0-cf23f (ffffffff:0:0)
RegAvoidRes: UMB\0003
mem=cf240-dffff (ffffffff:0:0)
LogCrash=crash log not found or invalid
LogCrash=crash log invalid
Estimated number of detection functions=350
Number of verify functions called=0
Previous OS version=0
Checking for: System Bus
CheckInt86xCrash=int 1a,AX=b101,rc=0
SetVar: PCIBUS
DetFlags: 40
Detected: *PNP0C08\0000 = [1] Advanced Configuration and Power Interface
SetVar: ACPBIOS=
Number of functions called=50
Devices detected:1
ConfigMG device=HTREE\RESERVED\0ConfigMG device=ROOT\NET\0000
ConfigMG device=ROOT\NET\0000:status=8000621
.
.
.
.
Checking for: Trident VGA Display Driver
QueryIOMem: Caller=DETECTTRIDENT, rcQuery=2
IO=3b0-3bb,3c0-3df
Last, these files are in C:\windows\command (and I know they do not belong):
cscript.exe 85k 11/5/99
pkunzip.exe 32k 1/24/94
sulfnbk.exe 44k 4/23/99
vide_cdd.sys 12k 3/3/99
xcopy32.mod 41k 4/23/99
Some files from C:\Windows\System
leshwiz.exe 76k 4/23/99
Inside Your Computer 38k (screen saver) 4/23/99
Internat.exe 28k 4/23/99
Lights.exe 48k 4/23/99
Leondardo da Vinci Screen Saver
I apologize if this is a bit scattered (or in the wrong group - if so - please point me to the right one); I have been working on this for weeks and am getting no where. If anyone can advise who can help, what language this joker is using, if there is a way to "break" the code, I'd greatly appreciate it.
Lo
