mjacobs2929
asked on
WINDOWS UPDATE INFECTS MBR??!!
This is a direct follow on from the problem I described (and thought solved)
here: only about 72 hours ago.
In short, as I said in my final entry on that piece, I've been reinstalling all my software and devices, checking with tdsskiller after each one, to ensure that I have not re-infected myself.
I finally got around to allowing windows to update itself. It found I needed 54 updates (remember I had rolled back to an installation snapshot made a few months ago at the start of this debacle - in the hope that this would clear the infection. (It didn't - I still had 3 threats) - so all those updates needed reinstalling) Fortunately I ran another tdsskiller test (clean) and made a Rollback snapshot of my system drive immediately prior to permitting the update.
On completion and restart, I immediately ran tdsskiller again and found 63 threats.
For obvious reasons, I immediately rolled back to the pre-update snapshot and all the threats have gone away.
For equally obvious reasons I'm gobsmacked.
I cannot believe that the "infection" is real, or else about 10% the online users of Win 8 would be screaming (the few who have rootkit identifiers installed). Which leads me to conclude that they must be false positives and that in turn takes me right back to the position I was in before I was persuaded to take the initial infection seriously.
The one thing that makes me suspicious (that it might be a real infection) is that, after the reboot, (i.e. before I could run the tdsskiller test) the system insisted on going online and downloading something or other without announcing what it was doing or why and without telling me what it had done when it had finished. And it was in a most peculiar state. I could not interrupt it. I couldn't run the task manager, couldn't get back to the desktop or gain control in any other way. Couldn't even pull the network cable because I had left the update going at home and logged in remotely to finalise it and run the tdsskiller test...
I'm all ears...
here: only about 72 hours ago.
In short, as I said in my final entry on that piece, I've been reinstalling all my software and devices, checking with tdsskiller after each one, to ensure that I have not re-infected myself.
I finally got around to allowing windows to update itself. It found I needed 54 updates (remember I had rolled back to an installation snapshot made a few months ago at the start of this debacle - in the hope that this would clear the infection. (It didn't - I still had 3 threats) - so all those updates needed reinstalling) Fortunately I ran another tdsskiller test (clean) and made a Rollback snapshot of my system drive immediately prior to permitting the update.
On completion and restart, I immediately ran tdsskiller again and found 63 threats.
For obvious reasons, I immediately rolled back to the pre-update snapshot and all the threats have gone away.
For equally obvious reasons I'm gobsmacked.
I cannot believe that the "infection" is real, or else about 10% the online users of Win 8 would be screaming (the few who have rootkit identifiers installed). Which leads me to conclude that they must be false positives and that in turn takes me right back to the position I was in before I was persuaded to take the initial infection seriously.
The one thing that makes me suspicious (that it might be a real infection) is that, after the reboot, (i.e. before I could run the tdsskiller test) the system insisted on going online and downloading something or other without announcing what it was doing or why and without telling me what it had done when it had finished. And it was in a most peculiar state. I could not interrupt it. I couldn't run the task manager, couldn't get back to the desktop or gain control in any other way. Couldn't even pull the network cable because I had left the update going at home and logged in remotely to finalise it and run the tdsskiller test...
I'm all ears...
You could also try:
(1) Scanning with Malwarebytes Anti-Rootkit Beta:
< http://www.malwarebytes.org/products/mbar/
(2) aswMBR:
< http://public.avast.com/~gmerek/aswMBR.htm > and
(3) ComboFix:
< http://www.bleepingcomputer.com/download/combofix/ >
Before installing the updates (on a "supposedly clean" state).
(1) Scanning with Malwarebytes Anti-Rootkit Beta:
< http://www.malwarebytes.org/products/mbar/
(2) aswMBR:
< http://public.avast.com/~gmerek/aswMBR.htm > and
(3) ComboFix:
< http://www.bleepingcomputer.com/download/combofix/ >
Before installing the updates (on a "supposedly clean" state).
ASKER
already tried all those. Combofix looked most convincing. Aswmbr refused to run, even in safe mode - which made me very suspicious. I think I downloaded the wrong version of mbar and will be trying that later...
ASKER
quick update. Just got the right version of Mbam and ran full scan. No threats found...
So, how is the system behaving now?
What kind of threats did you get in the initial report, you mention 63 but not which ones.
After you've updated your system, can you monitor your hardware firewall (or have someone monitor it for you) and log traffic from the 'clean' system? You should be able to look at the firewall logs and find references to the strange update you've seen.
After you've updated your system, can you monitor your hardware firewall (or have someone monitor it for you) and log traffic from the 'clean' system? You should be able to look at the firewall logs and find references to the strange update you've seen.
I battled my computer for 4 weeks with the same symptoms that you stated. This was the solution that I used to get my computer running normal again.
Homeland Security has advised windows users to uninstall Java, because hackers have found a vulnerability. So far, 850 million computers have been attacked by the java jar exploit kit.
http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/
It also runs in windows recover (System Volume Information) so when you recover your computer, the the exploit also regenerates itself like a worm. It does infect windows updates during installation.
If your anti-virus engine is showing no viruses now, but acting abnormal, uninstall java and manually delete the java folder in hidden appdata folder. Once your machine is running normally, create a new restore point.
Do not get Java and Javascript confused. They are two different programs.
Homeland Security has advised windows users to uninstall Java, because hackers have found a vulnerability. So far, 850 million computers have been attacked by the java jar exploit kit.
http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/
It also runs in windows recover (System Volume Information) so when you recover your computer, the the exploit also regenerates itself like a worm. It does infect windows updates during installation.
If your anti-virus engine is showing no viruses now, but acting abnormal, uninstall java and manually delete the java folder in hidden appdata folder. Once your machine is running normally, create a new restore point.
Do not get Java and Javascript confused. They are two different programs.
@bnei - The issue you're referring to is from January this year - you reckon it's still valid?
ASKER
Bnei, interesting. I was aware of the Java issues. Wasn't aware they could cause behaviour like this.
Gerwinjanson asks what the threats were. I didn't hang around to find out. I immediately restored the pre-update Rollback snapshot (I don't use system restore, that's far too incomplete) and all the reported threats went away. I didn't have time to investigate further as I was preparing to go away for the week and had a customer server to rebuild.
you also talk about monitoring the firewall. I shall be looking at that isse when I get back. But I did monitor the network for a couple of nights using wireshark and found nothing untoward in the list of "endpoints" and other activities.
aadih asks how the system is behaving now. The system has been perfectly normal all the way through this experience. It only started with an idle experiment on my part to see what, if anything tdsskiller would find and, to my consternation, it reported 125 threats. As all other tools were saying I was clean, I spent the first week denying the problem until I was persuaded (see previous thread) that the problem was real.
As of now, my plan is a total rebuild, delete all system and windoze partitions and start from scratch with periodic RogueKiller and tdsskiller checks to see that the system isn't acquiring an alleged threat as I rebuild it.
Gerwinjanson asks what the threats were. I didn't hang around to find out. I immediately restored the pre-update Rollback snapshot (I don't use system restore, that's far too incomplete) and all the reported threats went away. I didn't have time to investigate further as I was preparing to go away for the week and had a customer server to rebuild.
you also talk about monitoring the firewall. I shall be looking at that isse when I get back. But I did monitor the network for a couple of nights using wireshark and found nothing untoward in the list of "endpoints" and other activities.
aadih asks how the system is behaving now. The system has been perfectly normal all the way through this experience. It only started with an idle experiment on my part to see what, if anything tdsskiller would find and, to my consternation, it reported 125 threats. As all other tools were saying I was clean, I spent the first week denying the problem until I was persuaded (see previous thread) that the problem was real.
As of now, my plan is a total rebuild, delete all system and windoze partitions and start from scratch with periodic RogueKiller and tdsskiller checks to see that the system isn't acquiring an alleged threat as I rebuild it.
>> delete all system and windoze partitions
You'd have to clean MBR, partition area etc. as well - just to be sure.
You'd have to clean MBR, partition area etc. as well - just to be sure.
ASKER
>>You'd have to clean MBR, partition area etc. as well - just to be sure.
That's news (to me). I have always assumed that deleting all the partitions, including the windoze system partition, followed by a full ntfs format was sufficient. Are you saying that the MBR occupies another bit of the disk that we don't see? Or that it somehow survives the re-partitioning and formatting process?
That's news (to me). I have always assumed that deleting all the partitions, including the windoze system partition, followed by a full ntfs format was sufficient. Are you saying that the MBR occupies another bit of the disk that we don't see? Or that it somehow survives the re-partitioning and formatting process?
I ended up with the java jar exploit during the last week of July. So I definitely believe the warning still applies. I did not figure out how to deal with it until the 3rd week in August. So yes, Java Jar Exploit is still attacking computers running java.
Go ahead, reinstall (rebuild as you say). That'd ease your concerns.
>> Are you saying that the MBR occupies another bit of the disk that we don't see?
No I'm not but since you've had so much trouble and can't explain why it happened again, I'd personally dd the whole disk with zeroes on another machine. But then again, that's a bit paranoid I guess. Let us know how your rebuild goes.
No I'm not but since you've had so much trouble and can't explain why it happened again, I'd personally dd the whole disk with zeroes on another machine. But then again, that's a bit paranoid I guess. Let us know how your rebuild goes.
ASKER
OK, well I get back to base on Saturday, probably get it finished on Sunday so look out for a report back then...
ASKER
OK, here's the result of my rebuild attempt. Windows update definitely produced "corrupted" files but I'm still not sure who or what is guilty.
Physically Disconnected from net.
Began by booting to a mini XP environment and performing a full ntfs format on both the boot partition and system partition. Then deleted both partitions.
Installed Win 8, selected the empty space for installation. Let it create the two new partitions. Got it to format them.
Installation complete, performed malware test using current versions of Malwarebytes, RogueKiller and TDSSKiller. All in full scan mode. All clean.
Installed main malware defenses, Zonealarm pro, Avast, Clamwin, and Spybot. Repeated malware test. All clean.
Connected to web. Downloaded current version Rollback RX. Installed. Repeated malware test. Malwarebytes and TDSSKiller say still clean. RogueKiller reports root.mbr
Highly likely this is a false positive but I've asked Horizon Datasys to prove it. Decided to proceed with further tests despite RK report.
Allowed windows to download updates (44). Cautiously only allowed it to install the first 11. Reboot, repeat malware tests. Still only root.mbr
Allowed windows to install remaining 33. Reboot, repeat malware test: 65 threats found. Ran SFC /scannow. Corruptions found. Repairs failed. The cbs.log is filled with thousands of lines like these:
2013-09-07 23:12:42, Info CSI 0000f4bd [SR] Cannot repair member file [l:32{16}]"1394ohci.sys.mu
2013-09-07 23:12:42, Info CSI 0000f4be [SR] Cannot repair member file [l:24{12}]"1394.inf_loc" of 1394.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4bf [SR] Cannot repair member file [l:24{12}]"1394ohci.sys" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4c0 [SR] Cannot repair member file [l:16{8}]"1394.inf" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4c1 [SR] Cannot repair member file [l:26{13}]"3ware.inf_loc" of 3ware.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
intrigued by the refs to AMD64 because my processor is an intel i7 but that's probably a red herring
and, towards the end of the file, thousands like these:
2013-09-07 23:22:54, Info CSI 0002d8cb [SR] This component was referenced by [l:256{128}]"Microsoft-Win
2013-09-07 23:22:54, Info CSI 0002d8cc [SR] Cannot repair member file [l:112{56}]"DirectoryServi
2013-09-07 23:22:54, Info CSI 0002d8cd [SR] This component was referenced by [l:256{128}]"Microsoft-Win
So I rolled back to the snapshot I'd made after installing the first 11 windows updates and installed just the next 11.
This time the new threats were a mere 4. I rollback to the safe snapshot and thats where I am now.
It should be stressed that the ONLY things downloaded from the web were the windows updates and the Rollback. I physically disconnected during the actual update and SFC procedures.
My own speculation - which I'm about to put to Horizon - is that their locking of the boot partition is contributing to the problem but perhaps someone here can confirm whether this is plausible.
What I know from my discussion with Horizon is that they believe they offer protection to the boot partition by locking it. I can confirm that it is well locked! My attempts to format it, delete it etc under either XP or Win 8 installation failed miserably. In the end I had to allow it to create an "empty" snapshot then uninstall itself to the empty snapshot. Only then - using the XP environment - could I format and delete the partition.
I don't know much about how windows manages it's update procedure but I'm wondering if the windows update insists on updating the boot partition, if only with the hash list of the updated files, or something similar. If so, it will fail if you've got RX installed - and that is what is causing the alleged corruptions. I've been reluctant not to use RX because it makes it so damn easy to recover from disasters like the above, but I suppose there's no harm in trying to get to the same point without RX just to see what happens without it. So I intend to try that next.
Meanwhile, Anyone else got any ideas?
Physically Disconnected from net.
Began by booting to a mini XP environment and performing a full ntfs format on both the boot partition and system partition. Then deleted both partitions.
Installed Win 8, selected the empty space for installation. Let it create the two new partitions. Got it to format them.
Installation complete, performed malware test using current versions of Malwarebytes, RogueKiller and TDSSKiller. All in full scan mode. All clean.
Installed main malware defenses, Zonealarm pro, Avast, Clamwin, and Spybot. Repeated malware test. All clean.
Connected to web. Downloaded current version Rollback RX. Installed. Repeated malware test. Malwarebytes and TDSSKiller say still clean. RogueKiller reports root.mbr
Highly likely this is a false positive but I've asked Horizon Datasys to prove it. Decided to proceed with further tests despite RK report.
Allowed windows to download updates (44). Cautiously only allowed it to install the first 11. Reboot, repeat malware tests. Still only root.mbr
Allowed windows to install remaining 33. Reboot, repeat malware test: 65 threats found. Ran SFC /scannow. Corruptions found. Repairs failed. The cbs.log is filled with thousands of lines like these:
2013-09-07 23:12:42, Info CSI 0000f4bd [SR] Cannot repair member file [l:32{16}]"1394ohci.sys.mu
2013-09-07 23:12:42, Info CSI 0000f4be [SR] Cannot repair member file [l:24{12}]"1394.inf_loc" of 1394.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4bf [SR] Cannot repair member file [l:24{12}]"1394ohci.sys" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4c0 [SR] Cannot repair member file [l:16{8}]"1394.inf" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
2013-09-07 23:12:42, Info CSI 0000f4c1 [SR] Cannot repair member file [l:26{13}]"3ware.inf_loc" of 3ware.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD
intrigued by the refs to AMD64 because my processor is an intel i7 but that's probably a red herring
and, towards the end of the file, thousands like these:
2013-09-07 23:22:54, Info CSI 0002d8cb [SR] This component was referenced by [l:256{128}]"Microsoft-Win
2013-09-07 23:22:54, Info CSI 0002d8cc [SR] Cannot repair member file [l:112{56}]"DirectoryServi
2013-09-07 23:22:54, Info CSI 0002d8cd [SR] This component was referenced by [l:256{128}]"Microsoft-Win
So I rolled back to the snapshot I'd made after installing the first 11 windows updates and installed just the next 11.
This time the new threats were a mere 4. I rollback to the safe snapshot and thats where I am now.
It should be stressed that the ONLY things downloaded from the web were the windows updates and the Rollback. I physically disconnected during the actual update and SFC procedures.
My own speculation - which I'm about to put to Horizon - is that their locking of the boot partition is contributing to the problem but perhaps someone here can confirm whether this is plausible.
What I know from my discussion with Horizon is that they believe they offer protection to the boot partition by locking it. I can confirm that it is well locked! My attempts to format it, delete it etc under either XP or Win 8 installation failed miserably. In the end I had to allow it to create an "empty" snapshot then uninstall itself to the empty snapshot. Only then - using the XP environment - could I format and delete the partition.
I don't know much about how windows manages it's update procedure but I'm wondering if the windows update insists on updating the boot partition, if only with the hash list of the updated files, or something similar. If so, it will fail if you've got RX installed - and that is what is causing the alleged corruptions. I've been reluctant not to use RX because it makes it so damn easy to recover from disasters like the above, but I suppose there's no harm in trying to get to the same point without RX just to see what happens without it. So I intend to try that next.
Meanwhile, Anyone else got any ideas?
Hi, I have just one idea at this moment, can try the reinstall without Rollback RX on a different harddrive? A lot of work (again) for you but this may enable you to determine whether Rollback RX is causing all this trouble (or not...).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> Relieved that my security hasn't been compromised
This is the answer you were really looking for, at least that's some piece of mind for you. I have no more suggestions, just would be nice if we'd get an update once you've sorted things out with Horizon. Thanks for your detailed posts and replies!
This is the answer you were really looking for, at least that's some piece of mind for you. I have no more suggestions, just would be nice if we'd get an update once you've sorted things out with Horizon. Thanks for your detailed posts and replies!
ASKER
I shall - if this board lets me - update this thread with the Horizon result in due course...
ASKER
Because I solved the problem myself.
ASKER
minor interim update. Horizon sent me a new version of the program to try out. It cured the false positive "ROOT.MBR" report but nothing else.
It not only failed to cure the main issue (false positives on corrupt windows updates) but in the process of attempting to revert and uninstall the new version, it so badly damaged my MBR and system partitions that windows was unable to fix them or even to perform a clean reinstall until I forced a deletion of both partitions and full format of the new ones.
That may not all be Horizon's fault, however, as I had been getting "dodgy partition" warnings on that drive following my recent efforts.
What is significant is that by sending me the trial version, they are at least acknowledging the problem (though they still refuse to actually SAY that...)
It not only failed to cure the main issue (false positives on corrupt windows updates) but in the process of attempting to revert and uninstall the new version, it so badly damaged my MBR and system partitions that windows was unable to fix them or even to perform a clean reinstall until I forced a deletion of both partitions and full format of the new ones.
That may not all be Horizon's fault, however, as I had been getting "dodgy partition" warnings on that drive following my recent efforts.
What is significant is that by sending me the trial version, they are at least acknowledging the problem (though they still refuse to actually SAY that...)
Thanks for the update, they may fix your issue after all :-)
I don't believe it's a windows update that infects your MBR.
You are undoubtedly seriously infected, however.
Rootkits are nasty and hard to remove successfully. :-(