Same old Windows same old problems.

[pbolduc]

Well, today marks my first nasty encounter in 2014 with a Microsoft infection on a clients Windows 7 PC. Of course, when you have an MBR infection coupled to a random device driver, your support resources go out the window fast. The only thing worse I can think of would be UEFI BIOS infection on an encrypted file system and I hope I never see that day.

I would have thought by now Microsoft would have taken better security measures against these type of MBR Rootkit infections. Originally, I was introduced to these infections back in the early days of Windows XP and guys like Bryce Cogswell and Mark Russinovich already knew about their potential risks while developing their Sys-Internals suite for Win9x in the late 1990’s. Now today it seems like everyone and their proverbial dog has some kind of hook in your Microsoft Windows Operating System, whether you like it or not.

What makes today’s particular infection special was it surprisingly not detected by any of the following products: Symantec Endpoint Protection 12.1, Kaspersky Anti-virus, Dr. Web Cure-it, TDSSKiller, Microsoft Security Essentials, Malware-Bytes, GMER ( just crashed when monitoring kernel processes), MBR tool (was smart enough to indicate something had been screwing around with the MBR) and Combofix just failed to run.

This type of infection will always find a way to bury itself beneath or at the core of the Windows operating system in places where your regular IT tools (Taskmgr.exe, Autoruns, Process Monitor) just aren’t allowed. No third party software should be able to run at these levels also meaning Anti-virus programs and anything else that isn’t Microsoft.

Of course, the solution for curing this type of infection never just jumps out at you. Because every infection is randomly generated and unique to your installation and the devices it attaches too. Removal of these infections is very tedious and they are usually masked behind hundreds or thousands of Mal-ware / Ad-ware / Spyware & Trojans that are strewn all over the Windows operating system. This can be the result of one bad decision, visiting or clicking on a single infected website, link or e-mail attachment which can spawn browser hijackers, Pop-Up Ads, Toolbars, suspicious all in one fix-it programs (Scareware) and fake Anti-virus software all masking the real intent to steal your identity or information. Guaranteed, the nasty infection will always be the last thing you find and remove.

It can be somewhat rewarding ripping out an infection at its roots, but then that’s only half the battle. The next daunting task is repairing what it broke while it was running in your windows system. This could be from corrupt device drivers, security services, firewall services, registry keys, system files, and permissions.

In my case I hit the mother load. I ran all the scans I could to eliminate the malware while manually un-installing programs, suspicious files, registry keys and processes that I knew didn’t belong. Once I had a semi clean boot environment I could then home into the device driver providing a gateway from the internet to the system. Ironically, this time it was buried in the Wireless Network Driver and services. It ended up torpedoing the Microsoft Base Filtering Engine service, a Microsoft hidden BFE user account for the service & the Microsoft Firewall Service exposing the system to more threats.

So, I uninstalled the infected device driver but that wasn’t the end of it. Every time the system rebooted and attempted to re-install the Wireless driver from Windows Update the MBR infection would hook itself back into the wireless driver resulting in a Blue Screen (STOP). So, I manually uninstalled the wireless network card device driver in safe mode and booted off a Windows 7 DVD into the Microsoft Windows Recovery Console.

I deleted the BCD/Rebuilt the MBR/ Rebuilt the BCD & shutdown the computer and immediately discharging the motherboard to empty the contents in RAM whereby crippling the mastermind behind the infection.

I then fired up the PC again disabled the WIFI adapter after the install so I could run SFC /scannow to replace any remaining corrupt windows files. The generated SFC CBS.log file was 540 pages long as a result, so I figured there must have been quite a bit of Windows corruption. I re-installed the wireless card through windows update and there I was back in action with no active infection.

Now, the rebuilding of the Registry and Windows System Services could begin. Of course, after having a terrible infection like this it’s always a good to clear the System Restore Point history just in case someone accidentally restores back to a time when the infection was still active. A fresh restore point history list would be something not to forget, I can’t imagine having to relive through this experience again.

I wonder if Windows 9 will be a rehashed version of Windows 95, like every other previous release of Windows, or if they will actually build something new and better? I think it’s time for Microsoft to re-invent the wheel, instead of beating a dead horse. I also suspect there are some high up Microsoft employees calling the shots who are intentionally driving the company into the ground and I'd sure like to see them fired!