Same old Windows same old problems.
Results 1 to 13 of 13

Thread: Same old Windows same old problems.

  1. #1
    Registered User
    Join Date
    Apr 2001
    Location
    Medicine Hat Alberta
    Posts
    144

    Same old Windows same old problems.

    Well, today marks my first nasty encounter in 2014 with a Microsoft infection on a clients Windows 7 PC. Of course, when you have an MBR infection coupled to a random device driver, your support resources go out the window fast. The only thing worse I can think of would be UEFI BIOS infection on an encrypted file system and I hope I never see that day.

    I would have thought by now Microsoft would have taken better security measures against these type of MBR Rootkit infections. Originally, I was introduced to these infections back in the early days of Windows XP and guys like Bryce Cogswell and Mark Russinovich already knew about their potential risks while developing their Sys-Internals suite for Win9x in the late 1990’s. Now today it seems like everyone and their proverbial dog has some kind of hook in your Microsoft Windows Operating System, whether you like it or not.

    What makes today’s particular infection special was it surprisingly not detected by any of the following products: Symantec Endpoint Protection 12.1, Kaspersky Anti-virus, Dr. Web Cure-it, TDSSKiller, Microsoft Security Essentials, Malware-Bytes, GMER ( just crashed when monitoring kernel processes), MBR tool (was smart enough to indicate something had been screwing around with the MBR) and Combofix just failed to run.

    This type of infection will always find a way to bury itself beneath or at the core of the Windows operating system in places where your regular IT tools (Taskmgr.exe, Autoruns, Process Monitor) just aren’t allowed. No third party software should be able to run at these levels also meaning Anti-virus programs and anything else that isn’t Microsoft.

    Of course, the solution for curing this type of infection never just jumps out at you. Because every infection is randomly generated and unique to your installation and the devices it attaches too. Removal of these infections is very tedious and they are usually masked behind hundreds or thousands of Mal-ware / Ad-ware / Spyware & Trojans that are strewn all over the Windows operating system. This can be the result of one bad decision, visiting or clicking on a single infected website, link or e-mail attachment which can spawn browser hijackers, Pop-Up Ads, Toolbars, suspicious all in one fix-it programs (Scareware) and fake Anti-virus software all masking the real intent to steal your identity or information. Guaranteed, the nasty infection will always be the last thing you find and remove.

    It can be somewhat rewarding ripping out an infection at its roots, but then that’s only half the battle. The next daunting task is repairing what it broke while it was running in your windows system. This could be from corrupt device drivers, security services, firewall services, registry keys, system files, and permissions.

    In my case I hit the mother load. I ran all the scans I could to eliminate the malware while manually un-installing programs, suspicious files, registry keys and processes that I knew didn’t belong. Once I had a semi clean boot environment I could then home into the device driver providing a gateway from the internet to the system. Ironically, this time it was buried in the Wireless Network Driver and services. It ended up torpedoing the Microsoft Base Filtering Engine service, a Microsoft hidden BFE user account for the service & the Microsoft Firewall Service exposing the system to more threats.

    So, I uninstalled the infected device driver but that wasn’t the end of it. Every time the system rebooted and attempted to re-install the Wireless driver from Windows Update the MBR infection would hook itself back into the wireless driver resulting in a Blue Screen (STOP). So, I manually uninstalled the wireless network card device driver in safe mode and booted off a Windows 7 DVD into the Microsoft Windows Recovery Console.

    I deleted the BCD/Rebuilt the MBR/ Rebuilt the BCD & shutdown the computer and immediately discharging the motherboard to empty the contents in RAM whereby crippling the mastermind behind the infection.

    I then fired up the PC again disabled the WIFI adapter after the install so I could run SFC /scannow to replace any remaining corrupt windows files. The generated SFC CBS.log file was 540 pages long as a result, so I figured there must have been quite a bit of Windows corruption. I re-installed the wireless card through windows update and there I was back in action with no active infection.

    Now, the rebuilding of the Registry and Windows System Services could begin. Of course, after having a terrible infection like this it’s always a good to clear the System Restore Point history just in case someone accidentally restores back to a time when the infection was still active. A fresh restore point history list would be something not to forget, I can’t imagine having to relive through this experience again.

    I wonder if Windows 9 will be a rehashed version of Windows 95, like every other previous release of Windows, or if they will actually build something new and better? I think it’s time for Microsoft to re-invent the wheel, instead of beating a dead horse. I also suspect there are some high up Microsoft employees calling the shots who are intentionally driving the company into the ground and I'd sure like to see them fired!
    Last edited by pbolduc; January 13th, 2014 at 12:41 AM.

  2. #2
    Super Moderator SpywareDr's Avatar
    Join Date
    Jul 2012
    Location
    Maryland, USA
    Posts
    389
    Quote Originally Posted by pbolduc View Post

    ...l so I could run SFC /scannow to replace any remaining corrupt windows files.
    Note that SFC cannot detect NTFS Alternate Data Streams (ADS). Microsoft does not provide any tools or utilities with Windows or in their Resource Kits for detecting the presence of ADS.

    Forensic Focus > Dissecting NTFS Hidden Streams

    NTFS Alternate Streams: What, When, and How To
    --
    Doc
    ___________Microsoft Safety & Security Center___________
    \____________________ ____.-.____ ____________________/
    \_____________\ -._)!(_.- /_____________/
    \_______\. ~\ /~ ./_______/
    \_______/

    "Men never do evil so completely and cheerfully as when they do it from religious conviction" -Blaise Pascal

  3. #3
    Registered User
    Join Date
    Apr 2001
    Location
    Medicine Hat Alberta
    Posts
    144
    That's good to know SpywareDr. I have had found hundreds of mixed infections during my PC cleaning on this computer from adware, spyware, malware, third party programs and toolbars. Trojan's, exploits found in the Sun Java temp folder and google cache. If you're curious to see the 540 page log file generated by the SFC scan I can always send you a copy. I was planning on looking at it more closely when I had more time. =) I have no clue what it fixed but i'd say it was a busy little program.

    Previously however, with other MBR Rootkits, I've seen them damage the atapi.sys and aistor.sys files where i've had to actually physically replace the driver before the system would boot. As clearing the mbr would lead to a STOP error until I replaced said files.

    As you mentioned about the streams this shouldn't actually have any impact on the file itself, once the stream is broken. So what's corrupting these files after the fact i wonder? Could it be the stream flows both ways?

    Thanks for the useful links =)
    Last edited by pbolduc; January 11th, 2014 at 07:10 PM.

  4. #4
    Super Moderator SpywareDr's Avatar
    Join Date
    Jul 2012
    Location
    Maryland, USA
    Posts
    389
    1) You're welcome.

    2) All I was saying was that malicious software can be hidden from the Windows operating system itself in Alternate Data Streams. (Try it; read up on it).

    3) The only way to be absolutely sure an infected Windows Operating System is clean is to wipe the drive and reinstall the operating system from an known-clean source, (such as an original Microsoft Windows CD/DVD).
    --
    Doc
    ___________Microsoft Safety & Security Center___________
    \____________________ ____.-.____ ____________________/
    \_____________\ -._)!(_.- /_____________/
    \_______\. ~\ /~ ./_______/
    \_______/

    "Men never do evil so completely and cheerfully as when they do it from religious conviction" -Blaise Pascal

  5. #5
    Registered User maced's Avatar
    Join Date
    Aug 2008
    Location
    Universal City, TX
    Posts
    16

    Ads

    You can use programs like ADS Spy or LADS to look for streams but have to be careful about removing them. Windows does use ADS in some cases. Good thread, like the input here.

    Quote Originally Posted by SpywareDr View Post
    1) You're welcome.

    2) All I was saying was that malicious software can be hidden from the Windows operating system itself in Alternate Data Streams. (Try it; read up on it).

    3) The only way to be absolutely sure an infected Windows Operating System is clean is to wipe the drive and reinstall the operating system from an known-clean source, (such as an original Microsoft Windows CD/DVD).

  6. #6
    Registered User
    Join Date
    Apr 2001
    Location
    Medicine Hat Alberta
    Posts
    144
    I would just like to add one other comment about these type of infections that I have come across. This was going back several years ago when I first encountered these nasty MBR infections. This was before the TDSS Killer tool was available for the masses.

    Anyway, I knew this computer was infected but for the life of me I couldn't tell where it was coming from. At the time I was trying to use SPYBOT search and Destroy's realtime monitor to track activity in Windows coupled with regmon and filemon. I wasn't able to remove this infection because I could never see the infection or the associated files triggering the actions that were taking place on the computer.

    So I performed a FRESH format / re-install of the Operating system and to my surprise the computer was still infected with the same infection after the Format / Reinstall and I was completely dumb founded.

    Only after digging a lot more I realized the only thing that was still intact on the hard-drive was the MBR. So before you do a format re-install on the PC you should effectively wipe the MBR before you re-install, then discharge the RAM/Computer and reboot the PC then start the Re-install and re-create the OS partition. Just something to keep in mind when doing a clean install.

    A typical format re-install alone will not remove these infections.
    Last edited by pbolduc; January 12th, 2014 at 02:11 PM.

  7. #7
    Super Moderator SpywareDr's Avatar
    Join Date
    Jul 2012
    Location
    Maryland, USA
    Posts
    389
    Correct, wipe the drive.
    --
    Doc
    ___________Microsoft Safety & Security Center___________
    \____________________ ____.-.____ ____________________/
    \_____________\ -._)!(_.- /_____________/
    \_______\. ~\ /~ ./_______/
    \_______/

    "Men never do evil so completely and cheerfully as when they do it from religious conviction" -Blaise Pascal

  8. #8
    Registered User Ferrit's Avatar
    Join Date
    Apr 2001
    Location
    Vancouver Island The Real Canada
    Posts
    4,952
    That's a pretty serious infection.
    Makes one wonder what protection was on it.
    And an even more important question is where
    would a computer have to be frequenting to get this type of infection?
    In the old days I saw this with XP.
    This type of infection hasn't been frequent in any systems I watch over since the days of XP.
    Gigabyte 990FXA-UD3
    AMD FX 8350 4ghz OCTO-Core
    Windows 8.1 PRO 64
    Adata 256 gig SSD
    Kingston HyperX 1600 16 Gigs
    Sapphire R9 280 2gig
    Enermax Liberty Modular 620
    www.northernaurora.net
    http://www.northernaurora.net/page/chat.html

  9. #9
    Registered User
    Join Date
    Apr 2001
    Location
    Medicine Hat Alberta
    Posts
    144
    Well because these are customer machines I'm not overly sure which websites they get the infections from. But if memory serves me correctly, I believe this was instigated by a Sun Java exploit.
    Last edited by pbolduc; January 13th, 2014 at 12:43 AM.

  10. #10
    Registered User CeeBee's Avatar
    Join Date
    Nov 2002
    Location
    USA
    Posts
    2,494
    The solution isn't just wiping the drive, it's also setting the user to run with the least amount of rights needed to do their job. That means no administrator, regardless of how much they want it.
    Protected by Glock. Don't mess with me!

  11. #11
    Super Moderator SpywareDr's Avatar
    Join Date
    Jul 2012
    Location
    Maryland, USA
    Posts
    389
    NDProxy.sys in Windows XP SP2 and SP3 and Server 2003 SP2 allows a local restricted user to gain admin rights. Microsoft is investigating.
    --
    Doc
    ___________Microsoft Safety & Security Center___________
    \____________________ ____.-.____ ____________________/
    \_____________\ -._)!(_.- /_____________/
    \_______\. ~\ /~ ./_______/
    \_______/

    "Men never do evil so completely and cheerfully as when they do it from religious conviction" -Blaise Pascal

  12. #12
    Registered User
    Join Date
    Apr 2001
    Location
    Medicine Hat Alberta
    Posts
    144
    Sorry Doc.. Forgot the rules. I've removed my post. Thanks for the heads up..

    Mean while... Since we are on the topic of Malware & Infections. I encourage everyone on this forum to take an hr. out of their busy schedule to watch this video. I think everyone needs to be aware of what's going on with the NSA.

    https://www.youtube.com/watch?v=vtQ7LNeC8Cs
    Last edited by pbolduc; January 13th, 2014 at 11:27 PM.

  13. #13
    Super Moderator SpywareDr's Avatar
    Join Date
    Jul 2012
    Location
    Maryland, USA
    Posts
    389
    WinDrivers Computer Tech Support Forums Rules
    You will not use these Forums for the purposes of sharing or distributing viruses, licenses, registration information, software keys, "cracks," or other information designed to do harm to or allow unlawful access to any computer hardware, software, networks, or any other systems.
    --
    Doc
    ___________Microsoft Safety & Security Center___________
    \____________________ ____.-.____ ____________________/
    \_____________\ -._)!(_.- /_____________/
    \_______\. ~\ /~ ./_______/
    \_______/

    "Men never do evil so completely and cheerfully as when they do it from religious conviction" -Blaise Pascal

Similar Threads

  1. Replies: 0
    Last Post: January 11th, 2006, 01:40 PM
  2. xp windows freecom problems
    By whaiskers2005 in forum Hard Drive/IDE/SCSI Drivers
    Replies: 0
    Last Post: August 16th, 2005, 06:55 PM
  3. Windows XP SP2 problems
    By Seemefe in forum Windows XP
    Replies: 3
    Last Post: November 8th, 2004, 08:20 PM
  4. dos windows problems
    By Six Eyed Smily in forum Windows XP
    Replies: 4
    Last Post: October 13th, 2003, 04:34 AM
  5. [RESOLVED] Windows ME, AOL & IE 5.5 problems...
    By Fierce1 in forum Tech-To-Tech
    Replies: 6
    Last Post: September 23rd, 2000, 06:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •