[Solved] Windows infection: please help a security newbie

[dree12]

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.

None of these services exist anymore:

• BITS
• Microsoft Antimalware
• Windows Firewall
• Windows Update

Are you using a device from Midiman called M-Audio or some such via firewire?

The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:

Original filename: mafwcpl.exe

[1713858126]

1713858126

[sadpandatech]

edit; if it will let you, enable the BITS (Background Intelligent Transfer Service) service from services.msc and see if you can then access the windows update functions.

None of these services exist anymore:

• BITS
• Microsoft Antimalware
• Windows Firewall
• Windows Update

Are you using a device from Midiman called M-Audio or some such via firewire?

The file has definately been renamed and corrupted. Here are some suspicious traits:

Code:

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

Code:

Original filename: mafwcpl.exe

aye, that file we have now is not the orginal. Did you find anything else modified aorund the same time?

As far as the missing services. OUCH. you are likely going to need to at the very least run a repair install of Win 7

[dree12]

I have a restore point from the last Windows update. Will that restore the missing services?

[sadpandatech]

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.

[dree12]

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.

Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install.

Thanks for your help! It saved me a lot of grief and was greatly appreciated.

BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.

[check_status]

Probably installed javascript into the profile of Firefox, you may need to create a new profile.

[finkleshnorts]

I have a restore point from the last Windows update. Will that restore the missing services?

Is that date before that file was created? And I am not totally sure on that. It kind of depends in what manner they have been removed.

Yes, and windows update was certainly working. I guess I'll try, and if that doesn't work, repair install.

Thanks for your help! It saved me a lot of grief and was greatly appreciated.

BTW: wrorap.dll somehow hacked the web browsers (it was being used by them when I tried to delete it). That's what was causing the redirects.

restore points can be infected.

[sadpandatech]

Probably installed javascript into the profile of Firefox, you may need to create a new profile.

aye, not a bad idea at all. 

I take it you were able to remove it in safemode?  Was firefox the only browser that was redicreting on you? Probably will not hurt to reinstall any other browsers you were using as well.


And now you got me curious as to the source or that thing. I hadn't bothered to decompile that dll to see the actual script in it as I figured you had it whipped. But it could not hurt to.


Another handy trick is to find a compiled piece of the malicious code to use to search for inside of all the files on your comp. I've been able to find quite a few left over 'dormant' pieces of nasties that would have otherwise went undected that way.


Let us know if you still have issues removing that file. Or skip ahead of posting again and use; http://www.scanwith.com/Pocket_KillBox_download.htm
  Add the file path to the box, check the 'delete on reboot' option and then if you ae ready to reboot, hit the lil red x tot he right of the file location input. That should have no issues removing it. If so, let us know.

cheers

[dree12]

It was ZeroAccess.

I'll update soon: I'm running some scans to make sure the rootkit is completely gone.

Firefox redirected the worst (on load and nearly every search result). IE also redirected. Chromium refused to work until recently (it wouldn't connect to anything).

Update:

ZeroAccess is apparently a rootkit that uses a variety of techniques to circumvent UAC by injecting code into UAC exceptions. I had not realized the dangers of keeping UAC at the "recommended" level, believing it to be sufficient in preventing malware. UAC is now set at the highest level.

ZeroAccess also downloaded a Bitcoin-related trojan (this is what most worries me). At this point, all my bitcoin is still present and remains encrypted. This was the cause of the slow computer; the bitcoin trojan converted it into a botnet.

ZeroAccess deleted some important services. Most importantly, Windows Update and Windows Firewall have been deleted. I will probably do a repair install, as a system restore seems too risky (what if it restores the rootkit?).

At this point, ZeroAccess should have been removed. At the very least, its symptoms are no longer present.

Edit: Windows Update has been restored (I needed to reregister the services, but the dlls were not deleted). I have reinstalled MSE and the computer should be much safer now. Now, I'm trying to fix Windows firewall, which isn't as crucial as the other two.

[rjk]

Personally, I never trust an infected computer ever again. All kinds of shit happens that's easy to miss and will cause future problems. If you hold any significant amount of bitcoins, it would be a good idea to move tem to a known secure computer. And I mean move the encrypted wallet without first decrypting it, since you can't be sure there isn't a lingering keylogger or some shit like that.

[dree12]

I have rediscovered an even more serious infection. This time, some core Windows system files were damaged.

"Windows has encountered a critical problem and will restart in one minute".

Yes, even in safe mode.

I have resorted to system restore, which has fixed the critical problem (additionally, all services have been restored). MSE is currently running, but only so I can gain some experience on how to deal with a severe infection.

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.

[myrkul]

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.

Windows, your days are numbered!

http://www.youtube.com/watch?v=CWsJcg-g1pg

That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.

[dree12]

Sirefef is the trojan's name. I think it's currently under control (quarentined by MSE, which is saved by the system restore).

At this point, I am simply going to install Ubuntu tommorow. After dealing with ZeroAccess, this newly discovered and even worse infection will simply be an exercise to remove.

Windows, your days are numbered!

http://www.youtube.com/watch?v=CWsJcg-g1pg

That said, the most recent Ubuntu is not my favorite. Unity... ick. But its a great Linux beginner OS.

I wish there was audio in safe mode now.

Ubuntu is good enough for me, because I've actually used it before.

Edit: Wow, these viruses are good. They just deleted the Windows Security Centre service... in Safe Mode. The reason this is so significant is that that is not a service that can even start in Safe Mode.

[check_status]

Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities. The benefits of Linux are that the majority of the malware attacks always start in user space, the disadvantage is tools are not well discussed so newbies can acquire improved security. Often, security questions are met with responses like, "Your on Linux now, stop worrying, there is no malware here, just move along...". Little do they know, there question was being answered by a Blackhat, who isn't interested in helping to reduce his ability to pwn your box. Because of this atmosphere that "Linux is immune", it makes detecting an infection or security threat much harder for a newb than it is in Windows.
Ask yourself this, If a rootkit/worm/trojan/keylogger were running in your Linux system, how would I find it? Now see how many people will teach you how to look for the signs.
While Linux is better at default security than Windows, the length of time an infection will go undiscovered by a newb on Linux will be much longer, if infected.

[myrkul]

Well, there are both benefits and disadvantages to using Linux. Linux does have malware, rootkits, worms, trojans, privilage escalation, vulnerabilities.

Yes, and Ubuntu is starting to get big enough to be a targetable audience. (ie, it's worth the hacker's time).

But the very nature of the Linux ecosystem makes it harder to program a single bug that will infect everyone, and the open-source nature and upstream fixes makes any holes shorter-lived.

No system is 100% secure. But compared to Windows, Linux might as well be. (Especially if, like me, you use some off-brand Linux, and keep everything updated.)

[Vladimir]

Whether you like it or not, wipe all and reinstall is what you need to do.

[01BTC10]

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

[dree12]

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

If I'm going to be switching OS's, should I still worry about this?

[sadpandatech]

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

If I'm going to be switching OS's, should I still worry about this?

def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios.  Also, when you do format the drive to reinstall make sure to format /MBR  and format /S as well from a known clean disk. 

nasty stuff there, m8

If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.

[dree12]

Whether you like it or not, wipe all and reinstall is what you need to do.

+1

And some very specialised rootkit can even infect the BIOS so in a company environment you need to flash the BIOS before reinstall. You can't trust a computer that have ever been infected.

http://www.tomshardware.com/news/bios-virus-rootkit-security-backdoor,7400.html

If I'm going to be switching OS's, should I still worry about this?

def +1 to what Vlad and 01BTC10 are saying. You seem to have some fairly uncommon nastie son your machine. It probably would not hurt at all to boot from a floppy or livecd made from another mahcine and flash the bios.  Also, when you do format the drive to reinstall make sure to format /MBR  and format /S as well from a known clean disk. 

nasty stuff there, m8

If that was in my shop, I'd probably just destroy the HDD, replace the mobo and rest comfortably versus wondering IF there is some more advanced infection invloved.

I'd rather not risk killing the BIOS to remove something that a) probably isn't there and b) probably doesn't matter.

Why should I format the MBR? Won't that destroy the partition table?