TheyCallmeScooter Posted February 21, 2011 Share Posted February 21, 2011 A week or two ago, my inbuilt webcam wasn't working so I went to the Dell Thailand site to download the driver for it. Whilst I was there, I downloaded some other drivers which I apparently needed. After installing them, I was instructed to restart my laptop, at which point the "Updating Windows - Don't Turn Off Your Computer" screen was frozen for 40 min or so. Unsure whether to turn it off or not, I just left it and went to dinner. When I got back hours later, my laptop had powered down. I switched it on, it went to BIOS, I deleted a superfluous password I'd been meaning to delete, then exited into...Computer Hell. My hard drive was encrypted by Bitlocker, which sent me a file tilted Recovery Key, which I had saved in Gmail. Bitlocker was asking for a key, I opened this file only to discover no key existed. Long story short, there is no way to recover a Bitlocker-encrypted hard drive, and I was forced to throw it out and DELL replaced it with a new one. The DELL technician was here reinstalling the OS and drivers for a couple hours just over a week ago. After he left, I realised from the increased speed that it had been far too long since I reformatted my desktop hard drive. I made a Windows ISO install flash drive from a brand new USB stick, downloading directly from Microsoft, and formatted my PC and reinstalled Windows 7. A day or two later, my computers started going crazy. A hacker or possibly advanced malware was taking over the Audit / Special Permissions for all my OS key files, including taking over and corrupting any and all anti-virus/spyware/malware 'solutions' I frantically purchased and attempted. These include iObit360, Trend Micro Titanium, Microsoft Security Essentials, Windows Defender, Webroot Spyware, Norton, Malwarebyes, ESET Internet Security, iolo System Mechanic and some more I can't remember right now. ComboFix, CCleaner, HijackThis are all rendered useless, usually resulting in a blue-screen crash. Gmer showed up a rootkit: ---- Services - GMER 1.0.15 ----Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ---- Despite being logged on as Administrator, I couldn't wrestle back Owner Permissions. I tried killing Services, and was able to Disable / Stop many Remote Procedure Call services which had started, but there were a number which had been locked by the hacker / malware with Registry entries which I was unable to delete. As things spun out of control, I decided I had no option but to completely format / reinstall. I have done 'clean' format / reinstalls from both my Genuine Advantage discs and my ISO flash drive...roughly 20 times in the last week. I finally noticed the malware was inbuilt into the installation process, where it hijacks all the Windows Audit / Special Permissions and I'm basically screwed even before I ever get online. In Event logs directly following a 'clean' format / reinstall, there are 1000 entries which include stuff like:".NET Runtime Optimation Service (2.0.50727.4927) - Installed from repository: AuditPolicyGPManagedStubs.Interop" and "Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware." If I do go online following a format / reinstall, when I try and download MS Security Essentials, the malware executes Command Prompts for old Microsoft Hotfixes which fix issues created by Remote Desktop Protocol logins. In fact, all my Windows Updates are completely controlled by the malware. Mirror servers are setup, and if I get too aggressive with the Registry Keys or trying to wrestle back my Permissions as owner, I get dumped into a Temp login with all my Administrator Permissions taken away. At one point, I noticed my systems were saying "Windows NT" instead of Windows 7 Ultimate" in Computer Properties. Usually, any Permissions I have as Administrator evaporate pretty quickly in any case, with messages saying "You do not have the required Permissions, contact your System Administrator" and "The Service is not accepting Control orders at this time" whenever I try to delete files or kill services. I still hadn't worked out it was the DELL technician until late Friday evening, after I hired a Systems Security expert who was listed on ThaiVisa (great computer guy, actually - I strongly recommend his services) who did a clean format / reinstall from his own rescue disc - he then polished up my router security and killed a lot of exploitable services and everything was looking great until I noticed my ESET firewall rules were being changed to allow RDP access and I couldn't change them back or even shut down ESET at all. My system was crashing saying I had driver issues, so I went to Dell.com to update with all the latest drivers. It was then that I noticed the DELL technician had installed all these very outdated drivers for my Trusted Program Module, AccessPoint and ControlPoint and my firmware had been rolled back to a very early version. I was unable to update any drivers as a result. The systems security guy came back yesterday scoffing at my claims, but after 5 hours of fighting to update the drivers, he conceded something had been done to the BIOS on all my computers. I showed him the Genuine Advantage discs, and uploaded the autorun.inf file located ON the discs burned by Microsoft into VirusTotal.com - which triggered a McAfee Alert for being a trojan Generic!atr.b MD5 : 11e9f43de44006d1f5316fc402910246 SHA1 : 8c75776cc881d8ac8483e017c95cb3fef4477a83 SHA256: 1b6a5b7444395bb1adaddca43adad2b800278099fbfe2c176d916df923f68d81 ssdeep: 3:03BKVX2VL4yVL4sV:SKYL4GL40 File size : 43 bytes First seen: 2009-03-22 18:37:59 Last seen : 2011-02-20 17:12:06 TrID: Generic INI configuration (100.0%)sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned This is located ON my Microsoft Genuine Advantage Windows CDs. Microsoft says this is impossible, yet seem remarkably disinterested in looking at the evidence I've submitted to them PROVING it's been done. I'm pretty sure I can clean it with McAfee but have to hold off for DELL to arrive as cleaning it will destroy the evidence, I think. McAfee's description is pretty much spot on: This is a generic detection for a configuration text file (autorun.inf) used by many worms. This file is usually dropped onto the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.Some copies of this file has the System (S) and Hidden (H) attributes present in attempt to hide the file from certain, default, viewing options within Windows Explorer. The contents of the file are similar to the following: [Autorun] open=<WORM>.exe shellexecute=<WORM>.exe shell\Auto\command=<WORM>.exe Symptoms: The presence of autorun.inf files on the root of all removable drives or mapped network drives containing information similar to that described in the "Characteristics" section. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution. My concerns are: 1. How sophisticated is this entire thing? I mean, if Microsoft are denying it is even possible, and other experts have said setting up mirror servers and whatnot is incredibly advanced, and the Systems Security guy said he's never seen anything like it in 12 years, how concerned should I be exactly and what could possibly be this guy's motive? 2. As I must assume this DELL technician controls my life in the present term, do I even want to annoy him with any official complaining or should I let sleeping dogs lie or...?? I just want the madness to end obviously.... Thanks! Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 Most software installation CD/DVD's (including Windows) have an autorun.inf file at the root for the sole purpose of executing programs on the disc. This is nothing new. The infection (if you can call it that), is coming from another source -- possibly your ISO flash drive. Link to comment Share on other sites More sharing options...
Spoonman Posted February 21, 2011 Share Posted February 21, 2011 Microsoft seems to think you can recover a bit-locker encrypted HDD. http://support.microsoft.com/kb/928201 Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Most software installation CD/DVD's (including Windows) have an autorun.inf file at the root for the sole purpose of executing programs on the disc. This is nothing new. The infection (if you can call it that), is coming from another source -- possibly your ISO flash drive. That would be fairly impressive considering I've done clean format / reinstalls on computers using only the Genuine Advantage discs. nb. VirusTotal.com scanned the uploaded autorun.inf file directly from the installation CD and the scan triggered a McAfee description as Generic!atr.b Link to comment Share on other sites More sharing options...
THAIJAMES Posted February 21, 2011 Share Posted February 21, 2011 Most software installation CD/DVD's (including Windows) have an autorun.inf file at the root for the sole purpose of executing programs on the disc. This is nothing new. The infection (if you can call it that), is coming from another source -- possibly your ISO flash drive. No he specifically says that it is on the source install CD. The next question would be is this possibly a counterfeit CD that looks very genuine? Probably nothing to do with the dell technician if the trojan is on the CD, but the bigger question might be is where did you get that cd? Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 (edited) nb. VirusTotal.com scanned the uploaded autorun.inf file directly from the installation CD and the scan triggered a McAfee description as Generic!atr.b Post the contents of the autorun.inf file here. Also include MD5/SHA-1 checksums. FWIW, it's impossible to modify data on optical media (CD/DVD) -- unless the data was tampered with PRIOR to burning. Here's the autorun.inf file from my genuine MSDN ISO's: Windows 7 Ultimate RTM (64-bit) [AutoRun.Amd64] open=setup.exe icon=setup.exe,0 [AutoRun] open=sources\sperr32.exe x64 icon=sources\sperr32.exe,0 File checksums CRC: 06B4258E MD5: B00D1EABC043412FD9CD13F6FE04202D SHA-1: 9F92DF8607D7C67FB19BB92910A8AE74A584D22E Windows 7 Ultimate RTM (32-bit) [Autorun] open=setup.exe icon=setup.exe,0 File checksums CRC: DA637560 MD5: 11E9F43DE44006D1F5316FC402910246 SHA-1: 8C75776CC881D8AC8483E017C95CB3FEF4477A83 Edited February 21, 2011 by Supernova Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Microsoft seems to think you can recover a bit-locker encrypted HDD. http://support.microsoft.com/kb/928201 Microsoft thinks lots of things which are not true. To use the BitLocker Repair ToolTo use the BitLocker Repair Tool, follow these steps. Step 1: Gather required materials Obtain the following items to help you recover encrypted data from the affected volume: The drive on which the damaged volume is located. This is the drive that contains the encrypted volume that you want to repair. The recovery password or the recovery key for the encrypted volume. This is the recovery information that you saved when you enabled BitLocker. Somewhat ironically, I didn't even choose the option to allow my DELL TPM to encrypt the key... NOTE: The Use BitLocker without additional key and Require PIN at every startup options are not available unless you have a TPM. Upon completion of encryption, Bitlocker prompted me to save a file which ostensibly held my Recovery Key. When I opened the file when it was needed, all it had was: This page is a backup of Trusted Platform Module (TPM) ownerauthorization information. Upon request, use the authorization information to prove ownership of the computer's TPM. IMPORTANT: Please keep this file in a secure location away from your computer's local hard drive. --> <tpmOwnerData version="1.0" softwareAuthor="Microsoft Windows [Version 6.1.7600]" creationDate="2010-12-16T06:29:54+07:00" creationUser="(name-Laptop\my name" machineName="name-LAPTOP"> <tpmInfo manufacturerId="1112687437"/> <ownerAuth>fONBGdaDnx9kOxw0TKzx0ttbbKU=</ownerAuth></tpmOwnerData> Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 Most software installation CD/DVD's (including Windows) have an autorun.inf file at the root for the sole purpose of executing programs on the disc. This is nothing new. The infection (if you can call it that), is coming from another source -- possibly your ISO flash drive. No he specifically says that it is on the source install CD. The next question would be is this possibly a counterfeit CD that looks very genuine? I will assume it's 'genuine' for now (since the OP says so). On the other hand, it could very well be counterfeit made to look genuine as you suggest. Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 nb. VirusTotal.com scanned the uploaded autorun.inf file directly from the installation CD and the scan triggered a McAfee description as Generic!atr.b Post the contents of the autorun.inf file here. Also include MD5/SHA-1 checksums. FWIW, it's impossible to modify data on optical media (CD/DVD) -- unless the data was tampered with PRIOR to burning. Here's the autorun.inf file from my genuine MSDN ISO's: Windows 7 Ultimate RTM (64-bit) [AutoRun.Amd64] open=setup.exe icon=setup.exe,0 [AutoRun] open=sources\sperr32.exe x64 icon=sources\sperr32.exe,0 File checksums CRC: 06B4258E MD5: B00D1EABC043412FD9CD13F6FE04202D MD5: B00D1EABC043412FD9CD13F6FE04202D *autorun.inf SHA-1: 9F92DF8607D7C67FB19BB92910A8AE74A584D22E Windows 7 Ultimate RTM (32-bit) [Autorun] open=setup.exe icon=setup.exe,0 File checksums CRC: DA637560 MD5: 11E9F43DE44006D1F5316FC402910246 MD5: 11E9F43DE44006D1F5316FC402910246 *autorun.inf SHA-1: 8C75776CC881D8AC8483E017C95CB3FEF4477A83 Rats. Same contents and MD5's (not sure how to check for SHA-1's but I'm guessing that means False Positive and that the discs aren't altered? Which only leaves the new hard drive he installed... 100% Genuine Advantage discs from Microsoft. So now I'm confused though - because I've used the discs on both computers with the same chaotic results, which I thought eliminated the laptop hard drive from list of suspicion... Link to comment Share on other sites More sharing options...
FritsSikkink Posted February 21, 2011 Share Posted February 21, 2011 You don't need to pay for a save system I downloaded AVG and hitmanpro both the freeware version and never had a problem so far Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 (edited) Rats. Same contents and MD5's (not sure how to check for SHA-1's but I'm guessing that means False Positive and that the discs aren't altered? Definitely a 'false positive' -- but that's just ONE file out of several thousand on disc... To make sure the entire disc isn't altered, you would need to create an ISO image from disc. This will settle for once and for all whether or not your disc is genuine. Here's how: 1. Download and install ISO Recorder 2. Insert your Windows 7 Installation DVD into your DVD drive 3. Right-click on the DVD drive and select Create image from CD Windows 7 Ultimate (x86) DVD (English) SIZE: 2,501,894,144 bytes CRC: C1C20F76 MD5: D0B8B407E8A3D4B75EE9C10147266B89 SHA-1: 5395DC4B38F7BDB1E005FF414DEEDFDB16DBF610 Windows 7 Ultimate (x64) DVD (English) SIZE: 3,224,686,592 bytes CRC: 1F1257CA MD5: F43D22E4FB07BF617D573ACD8785C028 SHA-1: 326327CC2FF9F05379F5058C41BE6BC5E004BAA7 Use HashTab or HashCheck shell extension to verify checksums. Note: If your Windows 7 disc is OEM, checksums may not match due to OEM branding. Edited February 21, 2011 by Supernova Link to comment Share on other sites More sharing options...
Crushdepth Posted February 21, 2011 Share Posted February 21, 2011 Are the infected machines connected to a network? If so, there's some chance the infection could be jumping on from another infected machine before you have a chance to patch your clean install. Keep them disconnected while you set them up. I made a Windows ISO install flash drive from a brand new USB stick. USB sticks are one of the most common ways malware can move around, especially using autorun. I've heard of a couple of cases where new USB sticks have been infected with some crapware. New or not, I would keep that stick out of the process entirely. The next question would be is this possibly a counterfeit CD that looks very genuine? I presume it has all the shiny hologram stuff etc ? I'd be surprised if malware could survive the installation process if you are formatting your drive. Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Thanks Supernova - but when I try to install ISO Recorder, it says: "An error occurred while writing installation information to disk. Check to make sure enough disk space is available, and click Retry, or Cancel to end the install." My hard drive is almost empty! Pressing Retry achieves nothing, pressing Cancel results in message: "The installer was interrupted before ISO Recorder could be installed. You need to restart the installer to try again. Click Close to exit." Nothing I do seems to work ;( --------- I ran GMER just now and got this: GMER 1.0.15.15530 - http://www.gmer.netRootkit quick scan 2011-02-21 14:32:15 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LJ01 Running: w5d9lxz7.exe; Driver: C:\Users\Jonny\AppData\Local\Temp\uwlyypod.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- EOF - GMER 1.0.15 ---- Is this suspect? I've never installed McAfee. I just tried, and couldn't for unknown reason/s. It just freezes up instantly on Install. Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Are the infected machines connected to a network? If so, there's some chance the infection could be jumping on from another infected machine before you have a chance to patch your clean install. Keep them disconnected while you set them up. My first dozen or so format / reinstall's were done with one or both computers online, i.e. a dirty one whilst attempting to reinstall OS mostly from one of the CDs. I don't much care for Network or Homegroups so never connect to either. Then I got increasingly frustrated, and did some simultaneous offline (completely) format / reinstalls and only then did I realise it had to be with the discs or both BIOS's were infected. However, wha'ts a "Workgroup"? I see my systems are listed as NT Workstation here and there, and they're on this "Workgroup" named "WORKGROUP" when I click on System Properties. This is something different from Network and Homegroup right? The next question would be is this possibly a counterfeit CD that looks very genuine?I presume it has all the shiny hologram stuff etc ? I'd be surprised if malware could survive the installation process if you are formatting your drive. 100% it's Microsoft Genuine Advantage CDs. 100% something is surviving the format / re-installation process. Surviving and THRIVING. The CDs were mailed directly from Microsoft when my idiotic conscience / OCD combined to empty my wallet a few days after I bought a new PC and I was getting annoyed by messages "You may have been a victim of counterfeiting." I wasn't so much a victim as a willing accessory. Then I felt guilty, and now I feel guilty for feeling guilty. Microsoft is literally the worst. I've been sending them evidence all week and their last position is that I'm imagining it all. After they claimed they didn't get all my submitted photos to their https://support.microsoft.com upload link, which all went through successfully of course. Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Stuff has started to get a little weird now, this is about when I normally do another format. But just quickly, I noticed my "workgroup" has two different names - what's up with that? I don't even want to be on a workgroup, and certainly never set one up. Also, it is strange that my 25-digit Windows key doesn't show up, instead that weird Product ID code instead? Not sure if that's standard or...? When I tried to save that screenshot above, I got this message: I'm logged in as Administrator!! When I try to save to My Pictures: So I can't save any file to my hard drive even though I'm logged in as Administrator. And now I notice all these hidden files on my hard drive: I don't want to be a NT User. What is this crap? I've changed no settings. But I have a feeling I'm about to get dumped out of Windows any second, and when I log back it it will be as a Temp user with a blank desktop. That's what has been happening....FML Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 And now I notice all these hidden files on my hard drive: I don't want to be a NT User. What is this crap? I've changed no settings. But I have a feeling I'm about to get dumped out of Windows any second, and when I log back it it will be as a Temp user with a blank desktop. That's what has been happening....FML Those are legit Windows files -- registry data files to be precise. NTUSER.DAT is where user specific registry settings are stored. Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 (edited) I'd be surprised if malware could survive the installation process if you are formatting your drive. 100% it's Microsoft Genuine Advantage CDs. 100% something is surviving the format / re-installation process. Surviving and THRIVING. The CDs were mailed directly from Microsoft when my idiotic conscience / OCD combined to empty my wallet a few days after I bought a new PC and I was getting annoyed by messages "You may have been a victim of counterfeiting." Boot sector viruses (albeit very rare nowadays) can survive formatting and in some cases, a hard drive repartition. Try wiping the installation partition instead of formatting, see if that helps. Edited February 21, 2011 by Supernova Link to comment Share on other sites More sharing options...
Crushdepth Posted February 21, 2011 Share Posted February 21, 2011 (edited) By offline, you mean any ethernet cable in the back has been physically disconnected, right? Because otherwise it might not be. And no connectable wireless networks (including the neighbours). If the MD5's of your installation disks match known good ones, you can exclude them as the source of the problem. If you think it could be something weird in your BIOS, download the latest version for your motherboard from the manufacturer's website and flash it in. That should clear any potential monkey business there. Hard drive - I guess there could be something in the boot sector, although I would have thought a fresh install would clean that up too, but maybe things are different in 7. You could download a Linux live test CD and use that to torch the master boot record (and everything else) if you were feeling sufficiently paranoid. Edit: Workgroup is just a default 'group' your computer belongs to, that's no problem. The other name is just the name the computer will use on the network, that should be a problem either. Edited February 21, 2011 by Crushdepth Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 C:\PROGRA~2\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\.....endless repeating... Is this sort of thing normal for Windows - That's C:\PROGRAM FILES\APPLICATION DATA\......I can't get to the end of it, Explorer starts freezing up. I managed to get ISO Recorder installed. Just a bunch of folders with a single .dll in each and a main ISORecorder.dll and a netfw.tlb file and that's all in the installed ISO Recorder directory. Windows Update Security downloads are being blocked from installation. I can run some programs and can save all sorts of files to my Desktop but cannot save .PNG files anywhere on my computer. There are hundreds and hundreds of Red (hidden) registry entries showing up in Gmer. I haven't touched any obviously. I've made zero changes to any settings. A program called MSADC is making registry changes. I feel like something's wrong. Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 By offline, you mean any ethernet cable in the back has been physically disconnected, right? Because otherwise it might not be. And no connectable wireless networks (including the neighbours). I mean all adapters disabled, all cords disconnected, router switched off. Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 C:\PROGRA~2\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\APPLIC~1\.....endless repeating... Is this sort of thing normal for Windows - That's C:\PROGRAM FILES\APPLICATION DATA\......I can't get to the end of it, Explorer starts freezing up. I managed to get ISO Recorder installed. Just a bunch of folders with a single .dll in each and a main ISORecorder.dll and a netfw.tlb file and that's all in the installed ISO Recorder directory. Windows Update Security downloads are being blocked from installation. It's a big mess... You might as well start over. Only this time repartition instead of formatting. Link to comment Share on other sites More sharing options...
chiang mai Posted February 21, 2011 Share Posted February 21, 2011 I spent three days last week trying to get my system back to normal after finding I had the conficker.AH virus in my desktop - getting rid of it was not easy, especially so since it had morphed and was also sitting on the one unprotected part of my system, my CAT EVDO Aircard USB modem! Link to comment Share on other sites More sharing options...
Supernova Posted February 21, 2011 Share Posted February 21, 2011 (edited) BTW, have you scanned your hard drive for bad sectors? If not, do this first. Run CHKDSK with the following options: [x] Automatically fix file system errors [x] Scan for and attempt recovery of bad sectors I managed to get ISO Recorder installed. Just a bunch of folders with a single .dll in each and a main ISORecorder.dll and a netfw.tlb file and that's all in the installed ISO Recorder directory. Folders with numbers as folder names contain language specific resource files for the program (e.g., 1033 = English). Edited February 21, 2011 by Supernova Link to comment Share on other sites More sharing options...
Darrel Posted February 21, 2011 Share Posted February 21, 2011 Also, it is strange that my 25-digit Windows key doesn't show up, instead that weird Product ID code instead? No, it isnt. Only the PID shows in Windows. The key that you used to generate the PID is never shown (unless you specifically go and look for it). You apparently know very little about Windows and how it works and so I am surprised that you are fiddling about with things that you clearly dont understand like the registry. Bitlocker for example: if you use it goes to huge lengths to warn you to save the unlock key in a safe place for emergency use. Did you do so? Apparently not. Autorun.inf shows as a generic threat because it is precisely that: a generic threat AKA a potentially harmful file. Given that is it only a text file it is easy enough to check the contents and see if it is normal or not. You dont need to check the MD5. And the list of anti-malware software that you have installed/used is quite remarkable: much of it is only suitable for use by experts anyway, and I dont think that you qualify. In fact that list is 10 times more software than I have used to clean any number of infected PCs in the last 10 years, something I do for a living. Your original hard drive didnt need replacing either, even if you didnt know the Bitlocker key. I dont know why anyone would have told you to do that. Your solution is to remove any network connection or USB storage device from your PC, format the hard drive from the BIOS or via an Ubuntu Live CD, reinstall Windows using the official disk (your disk looks official enough) being sure to reformat the partitions during the process, install the correct drivers from the Dell site, allow Windows Update to do the necessary updates, install MSE. Then format (or better still throw away) your USB key. Dont connect any other PC to the network unless you are certain that it is not infected with anything. And finally stop messing about with things that you dont understand. As a uninformed end-user you should not be fooling about in the advanced setup of Windows at all. If you leave Windows 7 alone you will probably never have any trouble. Link to comment Share on other sites More sharing options...
TheLaughingMan Posted February 21, 2011 Share Posted February 21, 2011 lol I just skimmed through this and cant believe all the things the op is crying about, half the things you are freaking out over are normal parts of windows. Are you trolling? Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 21, 2011 Author Share Posted February 21, 2011 Definitely a 'false positive' -- but that's just ONE file out of several thousand on disc... To make sure the entire disc isn't altered, you would need to create an ISO image from disc. This will settle for once and for all whether or not your disc is genuine. Here's how: 1. Download and install ISO Recorder Windows 7 Ultimate (x64) DVD (English) SIZE: 3,224,686,592 bytes CRC: 1F1257CA MD5: F43D22E4FB07BF617D573ACD8785C028 SHA-1: 326327CC2FF9F05379F5058C41BE6BC5E004BAA7 Use HashTab or HashCheck shell extension to verify checksums. HashTab is pretty awesome! Unable to install ISO Recorder no matter what I try, I guess the malware has it tagged. Downloaded and installed UltraISO seamlessly, created ISO image and HashTab is showing the identical values to the above for my 64-bit disc (which was the most 'suspect' of the two) - so that's 100% that the 64-bit CD is clean then... If you think it could be something weird in your BIOS, download the latest version for your motherboard from the manufacturer's website and flash it in. Definitely something weird going on in my BIOS's - have flashed my DELL numerous times with the latest (A24 from memory), have also tried to update all the old drivers the DELL technician installed but that's proving incredibly challenging (the malware fights for the BIOS). I've got 14.x.132.0 half-installed for the above. That's what he put on there a week ago. It's a big mess... You might as well start over. Only this time repartition instead of formatting. Yeah it's crawling pretty slowly now - usually by this point, I'd have done one of my 20 format / reinstalls but DELL said they were coming all day today. They didn't come. By repartition, do you mean simply slicing my 160GB hard drive, because I've done that for same result...before you mentioned wiping as opposed to formatting? I searched online but am a bit confused about the difference between the two.... Have done a number of CHKDSK scans, but will do again directly following this post (which I've typed out and lost a few times to blue screens around this point without saving it). The ISO Recorder folder has 8 10xx sub-folders but they each only have a single .dll in each of them. No, it isnt. Only the PID shows in Windows. The key that you used to generate the PID is never shown (unless you specifically go and look for it).Ah okay. I wasn't abreast of that information. You apparently know very little about Windows and how it works and so I am surprised that you are fiddling about with things that you clearly dont understand like the registry. I haven't edited the registry. I'm crash-learning as I go, so I'll have some hilarious gaps in knowledge but in some aspects I seem to already know more than some 'experts' (it would seem, somewhat suprisingly). Bitlocker for example: if you use it goes to huge lengths to warn you to save the unlock key in a safe place for emergency use. Did you do so? Apparently not. I quite clearly stated the situation with Bitlocker above. I never lie. You're quite wrong on this one. Autorun.inf shows as a generic threat because it is precisely that: a generic threat AKA a potentially harmful file. Given that is it only a text file it is easy enough to check the contents and see if it is normal or not. You dont need to check the MD5. autorun.inf was a False Positive. I included the actual output from VirusTotal.com when I uploaded it off the Genuine Advantage disc. I just assumed I'd finally 'solved' the problem, and didn't run confirmation tests or bother downloading a Sandbox to open it. In any case, we've moved on from there. And the list of anti-malware software that you have installed/used is quite remarkable: much of it is only suitable for use by experts anyway, and I dont think that you qualify. In fact that list is 10 times more software than I have used to clean any number of infected PCs in the last 10 years, something I do for a living. Much of it was used on instruction from those experts. My systems are as infected as ever. But the programs themselves aren't exactly rocket science. Actually, the vast majority of them are remarkably user-friendly. Nothing about this seems very complex; I'm quite sure if my IT education wasn't 2 weeks old, I'd have fixed up all the registry keys by now and sorted it. Your original hard drive didnt need replacing either, even if you didnt know the Bitlocker key. I dont know why anyone would have told you to do that. Yes. It did. You'd understand why if you read above. A very bright DELL technician and I spent all night working on unlocking it with this 'classified' Microsoft PDF for Security Personnel. The drive was destroyed. Your solution is to remove any network connection or USB storage device from your PC, format the hard drive from the BIOS or via an Ubuntu Live CD, reinstall Windows using the official disk (your disk looks official enough) being sure to reformat the partitions during the process, install the correct drivers from the Dell site, allow Windows Update to do the necessary updates, install MSE. Genuine question: How will formatting from a boot disk do what my Genuine Advantage discs cannot? I don't understand what you mean there. There must be something I'm missing about formatting from the BIOS, because everything else has been done multiple times without joy. And finally stop messing about with things that you dont understand. As a uninformed end-user you should not be fooling about in the advanced setup of Windows at all. If you leave Windows 7 alone you will probably never have any trouble. Shucks, wish I'd thought of that whilst I was being hacked a week ago. I should have just left the malware / hacker alone after losing my permissions to copy / delete files off my desktop? Seems...sub-optimal. To TheLaughingMan, I was unaware that Windows behaved like this. I've been using it awhile, and didn't realise that it rapidly confiscates my Administrator permissions and kills all protecting software and opens up my firewalls for Remote Procedure Calls. ---- Services - GMER 1.0.15 ---- Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ---- ---- Devices - GMER 1.0.15 ---- ---- System - GMER 1.0.15 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8D7480B8] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8D7480E2] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8D7480CE] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8D7480A4] Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ---- EOF - GMER 1.0.15 ---- This one above, once I was able to kill the service (wasn't easy), I was able to download McAfee. But it's currently preventing McAfee from updating or doing even a Flash Scan and I can't kill the mfehidk.sys service again. Currently I cannot save images to my computer as I don't have the permissions. But I can download and install most programs and control most services and all the drivers (kinda - they reinstall before I can replace them). TM RootkitBuster gets killed by the malware within seconds of starting, but it's last scan pinged some worrying hidden registry keys. I know I need to reinstall, but f DELL...they need to come fix this mess sigh... +---------------------------------------------------- | Trend Micro RootkitBuster | Module version: 3.60.0.1016 | Computer Name: DELLE6500 +---------------------------------------------------- --== Dump Hidden Registry Value on HKLM ==-- [HIDDEN_REGISTRY][Hidden Reg Value]: KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP Root : 0 SubKey : DHCP ValueName : Collection Data : ValueType : 3 AccessType: 0 FullLength: 0x58 DataSize : 0 [HIDDEN_REGISTRY][Hidden Reg Value]: KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap Root : 0 SubKey : RPC-EPMap ValueName : Collection Data : 87 0 1 0 ValueType : 3 AccessType: 0 FullLength: 0x5d DataSize : 0x4 2 hidden registry entries found. Link to comment Share on other sites More sharing options...
Supernova Posted February 22, 2011 Share Posted February 22, 2011 By repartition, do you mean simply slicing my 160GB hard drive, because I've done that for same result...before you mentioned wiping as opposed to formatting? I searched online but am a bit confused about the difference between the two.... I meant delete partitions and wipe data (aka Zero-fill or writing zero's to the hard disk). This will effectively destroy ALL data on the drive. Think of it as a document shredder; I'm sure you're familiar with those in the workplace. While some BIOSes do support "low-level formatting", modern drives no longer require LLF, therefore, avoid using the BIOS for this purpose. Zero-fill is the modern day equivalent to LLF. Use diagnostic tools provided by your hard disk manufacturer (e.g., Seagate SeaTools) or partition software such as Acronis Disk Director to wipe data. Link to comment Share on other sites More sharing options...
Darrel Posted February 22, 2011 Share Posted February 22, 2011 A very bright DELL technician and I spent all night working ..... I'm sure the Dell tech was a very nice guy but let me try and clarify. I do this for a living. I've been doing it every day for well over 15 years and I get very well paid for doing it (European rates, not Thai), so someone must be satisfied with me. When I work on a computer it doesnt take me all night and when I've finished it functions properly. I gave you the benefit of my advice for free. Listen or ignore it, it's up to you. Link to comment Share on other sites More sharing options...
Darrel Posted February 22, 2011 Share Posted February 22, 2011 I meant delete partitions and wipe data (aka Zero-fill or writing zero's to the hard disk). This will effectively destroy ALL data on the drive. Think of it as a document shredder; I'm sure you're familiar with those in the workplace. While some BIOSes do support "low-level formatting", modern drives no longer require LLF, therefore, avoid using the BIOS for this purpose. Zero-fill is the modern day equivalent to LLF. Use diagnostic tools provided by your hard disk manufacturer (e.g., Seagate SeaTools) or partition software such as Acronis Disk Director to wipe data. This is fine for erasing personal data but it is not really relevant in this instance. Deleting and recreating a partition will effectively remove any data on the partition. There is no need to overwrite as long as the FAT is empty, especially as this is not the problem here. Whatever the OP may have (and actually I'm not convinced he has anything at all) it will be living in the boot sector and the best way to erase this is to do so from a non-Windows OS as this will make it unreadable to Windows. When Windows is reinstalled it will recreate the boot sector correctly. The hard drive tools you mention (and Ubuntu and MacOS and the BIOS etc) will do the same thing, but overwriting is not needed. There is a very small possibility that something has affected his BIOS or other firmware and the solution to that is to reflash the BIOS using a Dell flashing tool and check the firmware of any other cards having one. This is really rare though so it seems unlikely. (Personally I suspect that the other poster was correct and that the OP is in fact a troll, as it's hard to imagine any real person having the problems that he has. But the replies may be useful for other people and so no harm done there.) Link to comment Share on other sites More sharing options...
TheyCallmeScooter Posted February 22, 2011 Author Share Posted February 22, 2011 I meant delete partitions and wipe data (aka Zero-fill or writing zero's to the hard disk). This will effectively destroy ALL data on the drive. Think of it as a document shredder; I'm sure you're familiar with those in the workplace. Alright sweet thanks, I'm gonna give this a crack as I don't value DELL's assurances much. Seems simple enough, but this could be the exhaustion talking, I'm a bit confused about how it works. I assume it's a complete wipe, which means right through the BIOS? So do I have to install a BIOS program of some kind before I reinstall Windows? I'm sure the Dell tech was a very nice guy but let me try and clarify. I do this for a living. I've been doing it every day for well over 15 years and I get very well paid for doing it (European rates, not Thai), so someone must be satisfied with me. When I work on a computer it doesnt take me all night and when I've finished it functions properly. I gave you the benefit of my advice for free. Listen or ignore it, it's up to you. I genuinely appreciate the assistance of anyone, but I've had a rough run with professionals of late. There are a whole lot of people doing work for a living, who are rather...lucky...to be making a living from their work. And lately, I have employed lots of them. Clearly there wouldn't be much point in Bitlocker-encrypting a drive that you'd shrug off with a grin - I was pretty desperate, and I'm a fierce researcher. If there was a way to save that Bitlocker drive, it wasn't online. Right down at the end of this 100-page PDF is the summary of all the options I had. We went through them, then I cried a little, then waved goodbye to my hard drive. http://thibault.rouat.com/security-doc/Windows/WIN7-BITLOCKER-EFS-RMS-Draft-V1.pdf Link to comment Share on other sites More sharing options...
.png.3b3332cc2256ad0edbc2fe9404feeef0.png)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now