WINDOWS UPDATE INFECTS MBR??!!

This is a direct follow on from the problem I described (and thought solved)
here: only about 72 hours ago.

In short, as I said in my final entry on that piece, I've been reinstalling all my software and devices, checking with tdsskiller after each one, to ensure that I have not re-infected myself.

I finally got around to allowing windows to update itself. It found I needed 54 updates (remember I had rolled back to an installation snapshot made a few months ago at the start of this debacle - in the hope that this would clear the infection. (It didn't - I still had 3 threats) - so all those updates needed reinstalling)  Fortunately I ran another tdsskiller test (clean) and made a Rollback snapshot of my system drive immediately prior to permitting the update.

On completion and restart, I immediately ran tdsskiller again and found 63 threats.

For obvious reasons, I immediately rolled back to the pre-update snapshot and all the threats have gone away.

For equally obvious reasons I'm gobsmacked.

I cannot believe that the "infection" is real, or else about 10% the online users of Win 8 would be screaming (the few who have rootkit identifiers installed). Which leads me to conclude that they must be false positives and that in turn takes me right back to the position I was in before I was persuaded to take the initial infection seriously.  

The one thing that makes me suspicious (that it might be a real infection) is that, after the reboot, (i.e. before I could run the tdsskiller test)  the system insisted on going online and downloading something or other without announcing what it was doing or why and without telling me what it had done when it had finished. And it was in a most peculiar state. I could not interrupt it. I couldn't run the task manager, couldn't get back to the desktop or gain control in any other way. Couldn't even pull the network cable because I had left the update going at home and logged in remotely to finalise it and run the tdsskiller test...

I'm all ears...
mjacobs2929Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aadihCommented:
A comment only (no solution):

I don't believe it's a windows update that infects your MBR.

You are undoubtedly seriously infected, however.

Rootkits are nasty and hard to remove successfully.  :-(
0
aadihCommented:
You could also try:

(1) Scanning with Malwarebytes Anti-Rootkit Beta:

 < http://www.malwarebytes.org/products/mbar/

(2) aswMBR:

http://public.avast.com/~gmerek/aswMBR.htm > and

(3) ComboFix:
 
http://www.bleepingcomputer.com/download/combofix/ >

Before installing the updates (on a "supposedly clean" state).
0
mjacobs2929Author Commented:
already tried all those. Combofix looked most convincing. Aswmbr refused to run, even in safe mode - which made me very suspicious. I think I downloaded the wrong version of mbar and will be trying that later...
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

mjacobs2929Author Commented:
quick update. Just got the right version of Mbam and ran full scan. No threats found...
0
aadihCommented:
So, how is the system behaving now?
0
Gerwin Jansen, EE MVETopic Advisor Commented:
What kind of threats did you get in the initial report, you mention 63 but not which ones.

After you've updated your system, can you monitor your hardware firewall (or have someone monitor it for you) and log traffic from the 'clean' system? You should be able to look at the firewall logs and find references to the strange update you've seen.
0
bneiCommented:
I battled my computer for 4 weeks with the same symptoms that you stated. This was the solution that I used to get my computer running normal again.

Homeland Security has advised windows users to uninstall Java, because hackers have found a vulnerability. So far, 850 million computers have been attacked by the java jar exploit kit.

http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/

It also runs in windows recover (System Volume Information) so when you recover your computer, the the exploit also regenerates itself like a worm. It does infect windows updates during installation.

If your anti-virus engine is showing no viruses now, but acting abnormal, uninstall java and manually delete the java folder in hidden appdata folder. Once your machine is running normally, create a new restore point.

Do not get Java and Javascript confused. They are two different programs.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
@bnei - The issue you're referring to is from January this year - you reckon it's still valid?
0
mjacobs2929Author Commented:
Bnei, interesting. I was aware of the Java issues. Wasn't aware they could cause behaviour like this.

Gerwinjanson asks what the threats were. I didn't hang around to find out. I immediately restored the pre-update Rollback snapshot (I don't use system restore, that's far too incomplete) and all the reported threats went away. I didn't have time to investigate further as I was preparing to go away for the week and had a customer server to rebuild.

you also talk about monitoring the firewall. I shall be looking at that isse when I get back. But I did monitor the network for a couple of nights using wireshark and found nothing untoward in the list of "endpoints" and other activities.

aadih asks how the system is behaving now. The system has been perfectly normal all the way through this experience. It only started with an idle experiment on my part to see what, if anything tdsskiller would find and, to my consternation, it reported 125 threats. As all other tools were saying I was clean, I spent the first week denying the problem until I was persuaded (see previous thread) that the problem was real.

As of now, my plan is a total rebuild, delete all system and windoze partitions and start from scratch with periodic RogueKiller and tdsskiller checks to see that the system isn't acquiring an alleged threat as I rebuild it.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
>> delete all system and windoze partitions
You'd have to clean MBR, partition area etc. as well - just to be sure.
0
mjacobs2929Author Commented:
>>You'd have to clean MBR, partition area etc. as well - just to be sure.

That's news (to me). I have always assumed that deleting all the partitions, including the windoze system partition, followed by a full ntfs format was sufficient. Are you saying that the MBR occupies another bit of the disk that we don't see? Or that it somehow survives the re-partitioning and formatting process?
0
bneiCommented:
I ended up with the java jar exploit during the last week of July. So I definitely believe the warning still applies. I did not figure out how to deal with it until the 3rd week in August. So yes, Java Jar Exploit is still attacking computers running java.
0
aadihCommented:
Go ahead, reinstall (rebuild as you say).  That'd ease your concerns.
0
Gerwin Jansen, EE MVETopic Advisor Commented:
>> Are you saying that the MBR occupies another bit of the disk that we don't see?
No I'm not but since you've had so much trouble and can't explain why it happened again, I'd personally dd the whole disk with zeroes on another machine. But then again, that's a bit paranoid I guess. Let us know how your rebuild goes.
0
mjacobs2929Author Commented:
OK, well I get back to base on Saturday, probably get it finished on Sunday so look out for a report back then...
0
mjacobs2929Author Commented:
OK, here's the result of my rebuild attempt. Windows update definitely produced "corrupted" files but I'm still not sure who or what is guilty.

Physically Disconnected from net.

Began by booting to a mini XP environment and performing a full ntfs format on both the boot partition and system partition. Then deleted both partitions.

Installed Win 8, selected the empty space for installation. Let it create the two new partitions. Got it to format them.

Installation complete, performed malware test using current versions of Malwarebytes, RogueKiller and TDSSKiller. All in full scan mode. All clean.

Installed main malware defenses, Zonealarm pro, Avast, Clamwin, and Spybot. Repeated malware test. All clean.

Connected to web. Downloaded current version Rollback RX. Installed. Repeated malware test. Malwarebytes and TDSSKiller say still clean. RogueKiller  reports root.mbr

Highly likely this is a false positive but I've asked Horizon Datasys to prove it. Decided to proceed with further tests despite RK report.

Allowed windows to download updates (44). Cautiously only allowed it to install the first 11. Reboot, repeat malware tests. Still only root.mbr

Allowed windows to install remaining 33. Reboot, repeat malware test: 65 threats found. Ran SFC /scannow. Corruptions found. Repairs failed. The cbs.log is filled with thousands of lines like these:

2013-09-07 23:12:42, Info                  CSI    0000f4bd [SR] Cannot repair member file [l:32{16}]"1394ohci.sys.mui" of 1394.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2013-09-07 23:12:42, Info                  CSI    0000f4be [SR] Cannot repair member file [l:24{12}]"1394.inf_loc" of 1394.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2013-09-07 23:12:42, Info                  CSI    0000f4bf [SR] Cannot repair member file [l:24{12}]"1394ohci.sys" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the store, file is missing
2013-09-07 23:12:42, Info                  CSI    0000f4c0 [SR] Cannot repair member file [l:16{8}]"1394.inf" of 1394.inf, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the store, file is missing
2013-09-07 23:12:42, Info                  CSI    0000f4c1 [SR] Cannot repair member file [l:26{13}]"3ware.inf_loc" of 3ware.inf.Resources, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
intrigued by the refs to AMD64 because my processor is an intel i7 but that's probably a red herring

and, towards the end of the file, thousands like these:

2013-09-07 23:22:54, Info                  CSI    0002d8cb [SR] This component was referenced by [l:256{128}]"Microsoft-Windows-Client-Features-Package-ds~31bf3856ad364e35~amd64~~6.2.9200.16384.Microsoft-Windows-Client-Features-Package-ds"
2013-09-07 23:22:54, Info                  CSI    0002d8cc [SR] Cannot repair member file [l:112{56}]"DirectoryServices-DomainController-Tools-Replacement.man" of Microsoft-Windows-Migration-ReplacementManifests-ds, Version = 6.2.9200.16384, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
2013-09-07 23:22:54, Info                  CSI    0002d8cd [SR] This component was referenced by [l:256{128}]"Microsoft-Windows-Client-Features-Package-ds~31bf3856ad364e35~amd64~~6.2.9200.16384.Microsoft-Windows-Client-Features-Package-ds"


So I rolled back to the snapshot I'd made after installing the first 11 windows updates and installed just the next 11.

This time the new threats were a mere 4. I rollback to the safe snapshot and thats where I am now.

It should be stressed that the ONLY things downloaded from the web were the windows updates and the Rollback. I physically disconnected during the actual update and SFC procedures.

My own speculation - which I'm about to put to Horizon - is that their locking of the boot partition is contributing to the problem but perhaps someone here can confirm whether this is plausible.

What I know from my discussion with Horizon is that they believe they offer protection to the boot partition by locking it. I can confirm that it is well locked! My attempts to format it, delete it etc under either XP or Win 8 installation failed miserably. In the end I had to allow it to create an "empty" snapshot then uninstall itself to the empty snapshot. Only then - using the XP environment - could I format and delete the partition.

I don't know much about how windows manages it's update procedure but I'm wondering if the windows update insists on updating the boot partition, if only with the hash list of the updated files, or something similar. If so, it will fail if you've got RX installed - and that is what is causing the alleged corruptions. I've been reluctant not to use RX because it makes it so damn easy to recover from disasters like the above, but I suppose there's no harm in trying to get to the same point without RX just to see what happens without it. So I intend to try that next.

Meanwhile, Anyone else got any ideas?
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Hi, I have just one idea at this moment, can try the reinstall without Rollback RX on a different harddrive? A lot of work (again) for you but this may enable you to determine whether Rollback RX is causing all this trouble (or not...).
0
mjacobs2929Author Commented:
>> try the reinstall without Rollback RX on a different harddrive?

too late!

And that's proved the hypothesis. Rollback's locking of the boot partition IS the cause of the entire problem (including the previous thread)

When I reinstalled and performed the windows update without Rollback, zero corruption reported by all 3 malware detectors. Then installed Rollback and still no corruption (though roguekiller still reports root.mbr). Of course, this is bad news for Rollback as - until they fix the issue - it means we can't update windows without first uninstalling Rollback, which rather defeats the point of having Rollback in the first place. Going to be interesting to see how they handle that one.

I'm going to call that a wrap unless anyone else has got any more suggestions to make.

Have to say I'm simultaneously relieved and irritated. Relieved that my security hasn't been compromised as I had been forced to believe but irritated by how much effort it's taken to track down and fix.

Thanks for sharing my pain!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gerwin Jansen, EE MVETopic Advisor Commented:
>> Relieved that my security hasn't been compromised
This is the answer you were really looking for, at least that's some piece of mind for you. I have no more suggestions, just would be nice if we'd get an update once you've sorted things out with Horizon. Thanks for your detailed posts and replies!
0
mjacobs2929Author Commented:
I shall - if this board lets me - update this thread with the Horizon result in due course...
0
mjacobs2929Author Commented:
Because I solved the problem myself.
0
mjacobs2929Author Commented:
minor interim update. Horizon sent me a new version of the program to try out. It cured the false positive "ROOT.MBR" report but nothing else.

It not only failed to cure the main issue (false positives on corrupt windows updates) but in the process of attempting to revert and uninstall the new version, it so badly damaged my MBR and system partitions that windows was unable to fix them or even to perform a clean reinstall until I forced a deletion of both partitions and full format of the new ones.

That may not all be Horizon's fault, however, as I had been getting "dodgy partition" warnings on that drive following my recent efforts.

What is significant is that by sending me the trial version, they are at least acknowledging the problem (though they still refuse to actually SAY that...)
0
Gerwin Jansen, EE MVETopic Advisor Commented:
Thanks for the update, they may fix your issue after all :-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.