Fully updated system with up-to-date AV now hacked!

[David W. Hodgins]

Spent the last 4 hours or so, at a friends place. I'd previously
done everything I could to lock down the system, but he managed
to get some sort of malware installed.

Neither avast or superantispyware find any problems. It's an old,
slow computer, so the scans took hours.

The admin account is no longer accessible from the login screen,
even in safe mode. Only the limited user account is accessible.
GMER will not run, apparently due to lack of permissions.

The fire wall service is not running, and can't be started due
to lack of permission.
The security center service is not running.

This old computer has an lcd tv used as the monitor. The tv does
not display text mode, so the bios setup screen cannot be seen.

The bios is set to boot from the hard drive first, so booting from
a cd is out.

I'll be going back over to his place on Tuesday. I expect the next
step will be to pull the hard drive out of his computer, and put it
in mine, as a slave, so I can scan it without whatever rootkits are
running.

Luckily he doesn't use if for online banking, or shopping!

I HATE Microsoft. I expect this friend will become another linux
convert very soon!

Regards, Dave Hodgins

 

[VanguardLH]

Spent the last 4 hours or so, at a friends place. I'd previously
done everything I could to lock down the system, but he managed
to get some sort of malware installed.

No security software can overcome the willingness of a user to thwart it.

Since you are apparently the real admin for this boob user, why didn't you
set up periodic full and incremental image backups of, at least, his OS
partition and where the backups would get saved in a different partition on
a different hard disk to preserve those backups in case of file system
corruption or hard disk failure? Locking down a host is of little value if
it doesn't include recovery options.

Neither avast or superantispyware find any problems. It's an old,
slow computer, so the scans took hours.

The admin account is no longer accessible from the login screen,
even in safe mode.

And apparently you have never heard of corrupted profiles. That's why you
NEVER use the Administrator account except in emergencies and why the first
account you create is an alternate admin-level account that gets used for
normal admin duties and you give a restricted account for the user to use
for non-admin duties, especially for boobs that have never even bothered to
read a Windows for Dummies book.

Only the limited user account is accessible.
GMER will not run, apparently due to lack of permissions.

The fire wall service is not running, and can't be started due
to lack of permission.
The security center service is not running.

This old computer has an lcd tv used as the monitor. The tv does
not display text mode, so the bios setup screen cannot be seen.

Monitors never display text. They always display the graphic image sent to
it. That YOU interpret the display as showing text is of no interest to the
monitor. More likely there is a problem in the monitor not configured to
properly display the resolution used by the text *mode* for the video
display.

The bios is set to boot from the hard drive first, so booting from
a cd is out.

If it is as old as you say then it has a floppy drive from which it might
first boot. You could then load some OS with drivers for supporting the
CD/DVD drive to then run utilities on your CDs.

I'll be going back over to his place on Tuesday. I expect the next
step will be to pull the hard drive out of his computer, and put it
in mine, as a slave, so I can scan it without whatever rootkits are
running.

So far, it doesn't look like malware. Looks more like the user ****ed up
the OS so badly with bad drivers, conflicting software, bad tweaks, or
incomplete uninstalls, especially of security software, that he put the OS
in an unusable state. Did you ever attempt to reboot Windows by going into
the F8 boot menu and selecting "last known good configuration"?

Luckily he doesn't use if for online banking, or shopping!

I HATE Microsoft. I expect this friend will become another linux
convert very soon!

Yeah, now there's a good candidate for an educated Linux user, uh huh. Just
wait until he is at the root directory and runs "sudo rmdir -". This boob
has no inclination to learn how to use Windows and, for sure, yep, he's
gonna do better with Linux. Put the toke pipe down and wait a couple hours
before you revisit your friends computer.

So did you actually have a point to your post here since you didn't ask any
actual questions or ask for guidance? Or is this just where you decided to
record your diary entry?

 

[FromTheRafters]

This old computer has an lcd tv used as the monitor. The tv does
not display text mode, so the bios setup screen cannot be seen.

In my experience (not a professional) if you use an s-video connection,
the onboard video support requires the OS for the driver. If you use the
RS-232 (VGA) video cable instead of the s-video cable you can see the
messages during boot.

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| In my experience (not a professional) if you use an s-video connection,
| the onboard video support requires the OS for the driver. If you use the
| RS-232 (VGA) video cable instead of the s-video cable you can see the
| messages during boot.


The RS-232 uses 9 or 25 pin D-Subminature interface

VGA is a 15 pin D-Subminature and should not be called RS-232 nor confused with this old
serial connector.

 

[FromTheRafters]

The admin account is no longer accessible from the login screen,
even in safe mode. Only the limited user account is accessible.

It might have been a trojan bomb. There is no way for me to tell, but
IIRC the Safe Mode admin account is supposed to be enabled when there is
no other admin account (i.e., when the last existing one is demoted or
otherwise removed). A miscreant with sufficient privileges can however
assign admin rights to the asp.net user account (satisfying the
requirement for not needing to enable the Safe Mode admin account )and
remove/demote all others resulting in the user being unable to elevate.

 

[FromTheRafters]

From: "FromTheRafters" <[email protected]>



| In my experience (not a professional) if you use an s-video
connection,
| the onboard video support requires the OS for the driver. If you use
the
| RS-232 (VGA) video cable instead of the s-video cable you can see
the
| messages during boot.


The RS-232 uses 9 or 25 pin D-Subminature interface

VGA is a 15 pin D-Subminature and should not be called RS-232 nor
confused with this old
serial connector.

Sorry, I knew it wasn't quite right but was too lazy look up the correct
nomenclature. My hope was to help David W. Hodgins. I Googled "rs-232"
(the only nomenclature I could remember) and "video" and got "confirmed
by google" <cough> enough to make the errant post.

Thanks for correcting me.

 

[Leythos]

I'll be going back over to his place on Tuesday. I expect the next
step will be to pull the hard drive out of his computer, and put it
in mine, as a slave, so I can scan it without whatever rootkits are
running.

Luckily he doesn't use if for online banking, or shopping!

I HATE Microsoft. I expect this friend will become another linux
convert very soon!

And yet, in my 30+ years of using computers, thousands of them with MS
Operating sytems, I've had exactly one malware on all of those machines
that I've used.

If the system is that old, that it takes hours to do a scan, which is
normal for many computers, wipe it and reinstall clean, the system will
most likely run faster and it will be easier for you to do the updates
and make sure that everything is applied.

I have never seen a machine where the user was always using a Limited
account that was compromised, but I've seen a lot of machine where the
user had a limited account and wasn't using that one, where they were
using the Admin account after being warned not to, and they were
compromised while using the admin account.

 

[David H. Lipman]

From: "Leythos" <[email protected]>



| I have never seen a machine where the user was always using a Limited
| account that was compromised, but I've seen a lot of machine where the
| user had a limited account and wasn't using that one, where they were
| using the Admin account after being warned not to, and they were
| compromised while using the admin account.


I have. They were infected through malware that took advantage of Buffer Overflow
conditions and the subsequent elevation of privileges.

 

[Dave Cohen]

Spent the last 4 hours or so, at a friends place. I'd previously
done everything I could to lock down the system, but he managed
to get some sort of malware installed.

Neither avast or superantispyware find any problems. It's an old,
slow computer, so the scans took hours.

The admin account is no longer accessible from the login screen,
even in safe mode. Only the limited user account is accessible.
GMER will not run, apparently due to lack of permissions.

The fire wall service is not running, and can't be started due
to lack of permission.
The security center service is not running.

This old computer has an lcd tv used as the monitor. The tv does
not display text mode, so the bios setup screen cannot be seen.

The bios is set to boot from the hard drive first, so booting from
a cd is out.

I'll be going back over to his place on Tuesday. I expect the next
step will be to pull the hard drive out of his computer, and put it
in mine, as a slave, so I can scan it without whatever rootkits are
running.

Luckily he doesn't use if for online banking, or shopping!

I HATE Microsoft. I expect this friend will become another linux
convert very soon!

Regards, Dave Hodgins

I've never had a virus and I've used MS for years. I'm not going to get
into a back and forth MS vs Linux and I wouldn't waste much time
defending MS, but I've used both and if your user can't handle MS he
won't get very far with Linux unless all he wants to do is email and
surf the net. It is not a system ready for the non technical user, and
if you friend requires you to set things up for him, I have to assume he
fits that description.

 

[David W. Hodgins]

No security software can overcome the willingness of a user to thwart it.

Agreed. The most dangerous user is the one who thinks he knows
what he's doing, but doesn't.

Since you are apparently the real admin for this boob user, why didn't you
set up periodic full and incremental image backups of, at least, his OS
partition and where the backups would get saved in a different partition on
a different hard disk to preserve those backups in case of file system
corruption or hard disk failure? Locking down a host is of little value if
it doesn't include recovery options.

Limited hardware available. I cleaned a number of malware problems
from it last summer, created a new admin account, and then changed
the existing account to a limited one. That way, in order to access
his photo and music collection, he had to use the limited account.
Set everything to auto-update, and got him to use firefox.

I gather he was still using the admin account for more than just
admin functions though, and using ie.

Monitors never display text. They always display the graphic image sent to

During the post, and bios setup, the video mode uses the equivalent
of cga mode, which the tv doesn't support.

I've seen this before, where you have to hook up a real monitor,
to see the post messages, and bios setup.

it. That YOU interpret the display as showing text is of no interest to the
monitor. More likely there is a problem in the monitor not configured to
properly display the resolution used by the text *mode* for the video
display.

This tv, that also has a vga connection, does not support the video
modes used during post/bios setup.

If it is as old as you say then it has a floppy drive from which it might
first boot. You could then load some OS with drivers for supporting the
CD/DVD drive to then run utilities on your CDs.

It's definitely set to boot from the hard drive first.

The person he bought the computer from, had set it up that way
for a faster boot. That person had a real monitor, not a tv.

So far, it doesn't look like malware. Looks more like the user ****ed up
the OS so badly with bad drivers, conflicting software, bad tweaks, or
incomplete uninstalls, especially of security software, that he put the OS
in an unusable state. Did you ever attempt to reboot Windows by going into
the F8 boot menu and selecting "last known good configuration"?

System restore has been disabled. Certainly looks like malware to
me, when the firewall and security center services have been stopped
too.

Yeah, now there's a good candidate for an educated Linux user, uh huh. Just
wait until he is at the root directory and runs "sudo rmdir -". This boob
has no inclination to learn how to use Windows and, for sure, yep, he's
gonna do better with Linux. Put the toke pipe down and wait a couple hours
before you revisit your friends computer.

As I did with my sisters' system, I'd setup remote ssh access
for myself, so I could keep it updated, and when needed, take
over the keyboard/mouse to show him how to do things.

So did you actually have a point to your post here since you didn't ask any
actual questions or ask for guidance? Or is this just where you decided to
record your diary entry?

I was actually hoping for suggestions on a way to proceed. Now
that I've slept on it, I've decided to bring his computer to my
place, so I can hook up a real monitor and a ps2 keyboard, so
that I can change the bios settings to boot from the cd/dvd
drive.

Time to flatten and reinstall, in my opinion.

Regards, Dave Hodgins

 

[David W. Hodgins]

If the system is that old, that it takes hours to do a scan, which is
normal for many computers, wipe it and reinstall clean, the system will
most likely run faster and it will be easier for you to do the updates
and make sure that everything is applied.

Agreed. Means I'll have to hook up a real monitor, so I can see
the post/bios setup messages, in order to be able to change the
boot order, so I can boot from an install cd.

I have never seen a machine where the user was always using a Limited
account that was compromised, but I've seen a lot of machine where the
user had a limited account and wasn't using that one, where they were
using the Admin account after being warned not to, and they were
compromised while using the admin account.

I'm pretty sure that's what happened here. I'd like to figure out
exactly what he did, and what malware was involved, but I think
that may just be a waste of time, at this point.

Regards, Dave Hodgins

 

[David W. Hodgins]

surf the net. It is not a system ready for the non technical user, and
if you friend requires you to set things up for him, I have to assume he
fits that description.

He's one of those users who thinks he knows a lot more than he
does. At least with linux, I can lock down the privileges to
control what he can do. For example, I can set it up so that
he can install updates from the distributions repositories, but
can't install new programs, or stuff from third parties, without
my involvement.

Regards, Dave Hodgins

 

[David W. Hodgins]

IIRC the Safe Mode admin account is supposed to be enabled when there is
no other admin account (i.e., when the last existing one is demoted or
otherwise removed). A miscreant with sufficient privileges can however
assign admin rights to the asp.net user account (satisfying the
requirement for not needing to enable the Safe Mode admin account )and
remove/demote all others resulting in the user being unable to elevate.

Using the control panel/users currently only shows the one
limited account. I was surprised that safe mode also only
had that one account available.

Regards, Dave Hodgins

 

[VanguardLH]

Agreed. The most dangerous user is the one who thinks he knows
what he's doing, but doesn't.


Limited hardware available. I cleaned a number of malware problems
from it last summer, created a new admin account, and then changed
the existing account to a limited one. That way, in order to access
his photo and music collection, he had to use the limited account.
Set everything to auto-update, and got him to use firefox.

I gather he was still using the admin account for more than just
admin functions though, and using ie.


During the post, and bios setup, the video mode uses the equivalent
of cga mode, which the tv doesn't support.

I've seen this before, where you have to hook up a real monitor,
to see the post messages, and bios setup.


This tv, that also has a vga connection, does not support the video
modes used during post/bios setup.


It's definitely set to boot from the hard drive first.

The person he bought the computer from, had set it up that way
for a faster boot. That person had a real monitor, not a tv.


System restore has been disabled. Certainly looks like malware to
me, when the firewall and security center services have been stopped
too.


As I did with my sisters' system, I'd setup remote ssh access
for myself, so I could keep it updated, and when needed, take
over the keyboard/mouse to show him how to do things.


I was actually hoping for suggestions on a way to proceed. Now
that I've slept on it, I've decided to bring his computer to my
place, so I can hook up a real monitor and a ps2 keyboard, so
that I can change the bios settings to boot from the cd/dvd
drive.

Time to flatten and reinstall, in my opinion.

Regards, Dave Hodgins

You could tote a computer monitor (LCD is lighter than CRT, if you have a
choice) or maybe find a cheapie working model at a pawn shop. After all,
just how is this host going to get into Windows' Safe Mode or Recovery
Console mode for basic troubleshooting?

Maybe you could disconnect the hard disk during the boot so the secondary
boot device (CD or floppy) is found and used for booting the host.

If you're going to flatten, you'll want to be saving the files off the old
hard disk. I doubt the user will appreciate losing their data. So it's
about time to start thinking of what to use to backup the old files and what
could then be used thereafter to backup this repeatedly victimized host.

Acronis TrueImage is good (and what I use) but it's payware. Seagate
quietly partnered with Acronis to rebrand the OEM version of TrueImage into
the Disc Wizard utility that comes with retail versions of Seagate hard
disks or you can download it. You'll see "Powered by Acronis" in its
screens. Get DiscWizard at http://tinyurl.com/27y63t. I don't know if
DiscWizard includes the ability to explore an image to retrieve just some
files rather than having to restore the entire backup image. It has image
backup and restore. It also has Clone Disc but that's probably not what you
want to use here.

Other free backup/imaging utilities are Paragon's Express
(http://tinyurl.com/62su93) and Comodo's Time Machine
(http://tinyurl.com/y9yc74o). Comodo also has a free backup program which
is just a logical file copy but then you're looking at saving just files to
restore later. Comodo Time Machine is probably easy enough for a boob user
but I don't feel it is quite reliable enough for continual deployment on my
personal host (in fact, using something else to save an image is recommended
before installing Comodo Time Machine), especially since I already have
Acronis TrueImage or would probably go with Paragon's free product; however,
the hierarchical view in Comodo Time Machine is something that a boob could
probably understand. Like Acronis and Paragon, Time Machine installs
(usurps) the bootstrap area of the MBR so the utility is available when the
host is booted and before the OS even loads (so it is available if you
cannot boot the OS or it is unusable). Comodo Time Machine stores its
snapshots inside the same partition as it is protecting, so you're not
covered if the hard disk dies. Acronis and Paragon let you save their
backups in other partitions and those can be on a different hard disk (for
speed) or removable media (more nuisancesome). Acronis lets you create a
hidden partition where to save image backups (both full and incremental
images) to help hide them from malware, and if you get stuck with an MBR
bootstrap malware the you can use the bootable CD (of course, after you've
gotten around to fixing the disk boot order in BIOS).

With DiscWizard (on a different host), you can create bootable media and
then try the above mention of disconnecting the hard disk during the boot to
force booting from the CD or floppy (with driver support for the CD drive).
Comodo's tools aren't portable but something to use when you tote the
corrupted disk to your host to get files off of it and onto removable
storage media. I don't know if Paragon's free backup program can be made
portable. You might copy only some files that are obviously data files that
the user wants to keep only to find out later there were config or other
files the user would also like back, so you might want to save all of the
old disk's files to put on storage discs to refer to later. I'd save
everything as an image (so I could also get at the old registry .dat files)
just in case it comes up later that something else needs to get recovered.

 

[David W. Hodgins]

You could tote a computer monitor (LCD is lighter than CRT, if you have a
choice) or maybe find a cheapie working model at a pawn shop. After all,
just how is this host going to get into Windows' Safe Mode or Recovery
Console mode for basic troubleshooting?

During the bootup, windows switches to vga mode quite early, which does
allow safe mode to be selected/used. Haven't tried the recovery console yet,
due to the booting issues. I currently only have one monitor, a 20 inch
Mitsubishi diamond scan (purchased in 92), that weighs more than I do.

Maybe you could disconnect the hard disk during the boot so the secondary
boot device (CD or floppy) is found and used for booting the host.

That's an interesting idea, although reconnecting the drive after the boot
starts probably won't work, and no access to the had drive, when booted from
an install cd doesn't accomplish much.

If you're going to flatten, you'll want to be saving the files off the old
hard disk. I doubt the user will appreciate losing their data. So it's
about time to start thinking of what to use to backup the old files and what
could then be used thereafter to backup this repeatedly victimized host.

He's using an online backup service for all of his data, but I'll stick in
another hard drive, and backup all of the data, just in case there are some
he hasn't backed up.

Acronis TrueImage is good (and what I use) but it's payware. Seagate

Once I get the system able to boot from a cd/dvd, I'll stick with a linux
live cd, such as knoppix, and use rsync to backup the data. I may make
an image copy of the drive (using dd), for later analysis.

Thanks for the suggestions.

Regards, Dave Hodgins