Sean's Blog

One of the computers I was working on as of late (a Dell Inspiron B130) appeared to have eleventy billion malware infections of one kind or another. The staff who had been out there before attempted to remove some of the malware, with varying levels of success. At some point, a chunk of malware was removed, but not all of it, and the hooks it had placed in the system caused a blue screen to appear with PAGE_FAULT_IN_NONPAGED_AREA (with a STOP message of 0×00000050, or just 0×50) when Windows XP loaded either in normal mode or safe mode with networking. I never tried to load with just regular safe mode (no networking), but I figured that it wouldn’t matter and I went straight to using the UBCD.

Let me say now: I <3 the UBCD. If I didn’t have this particular tool, my job would be a pain. Or I could work on less computers.

Anyway, I could tell immediately by examining CurrentVersion\Run keys and values that there were a number of issues on the computer. I manually took care of what I could, and used the EZ-PC-FIX on the UBCD to check other registry values/keys running at startup, in the control set, etc, and the files they were using. Eventually I was able to weed out enough malware (let’s say about 50+ registry and file deletions) to feel safe booting up into safe mode and running Spybot. How wrong I was. There was something in the malware that was causing a window to open saying shell.exe was not found and was preventing .exe files form being launched. I checked HKEY_CLASSES_ROOT .exe and exefile, and for one of those the malware and added a call to a program whenever a program was launched. Since that program was no longer around, nothing would load. Once I resolved that (again through the UBCD since regedit didn’t want to run), I was able to run Spybot in safe mode. After what seemed like an hour, Spybot found just over 220 malware items. It was able to resolve most of these, but would need to run at startup in normal mode to clean the few up that it couldn’t. Ok, so I should no be safe to load Windows normally. Or not.

I continued to get PAGE_FAULT_IN_NONPAGED_AREA when booting windows. While trying to recall the manner in which to try and restore save points in XP via the UBCD (never did find it; it may no longer be there), I was checking some of the information they had for resolving stop messages. One solution to the issue was for a Microsoft knowledge base article I hadn’t come across while searching Google for “page fault in nonpaged area”: KB894278. It referenced a particular rootkit that installs a kernel driver (or two). While these aren’t the files on the system in question, the following were present, and had the same creation date as a number of the malware files I had dealt with:

• Flee46.sys
• grande48.sys
• Wek86.sys (This file may or may not be an issue.  It says it is part of the SCSI Class group, but nothing comes up with a Google of this file, so it may still be malware.)
• ctfmon.exe (an .exe in with a bunch of .sys files?)
• Vgkm39.sys

I had been watching flee46.sys load in safe mode, as it was the last file that was being called, and I had never seen it before. My curiosity was further piqued when I could not get a Google result for “flee46.sys”, which meant to me it was malware. Regardless, I appended “.malware.old” onto the end of all of those and rebooted. The blue screen was no where to be found, Windows XP was loading in normal mode, and Spybot was running. There are a couple minor items I need to take care of now, but the computer is probably 90% resolved of its malware issues. Huzzah!

UPDATE: The .sys files in question were related to what McAfee calls Srizbi.

Recently, I worked on a student’s computer, a Dell desktop of some kind, that had issues starting up. It could begin to load Windows XP (Professional I believe) but would hang prior to the login screen. After some malware cleaning and whatnot, I managed to get past that point, only to then hang at an empty desktop. After reviewing the system even more, I found plenty of remnants of previous malware infections (100s of files) and decided that a format/reinstall would be the best option to make sure everything was taken care of. The big issue, of course, was that the student couldn’t find the installation discs that came with their computer.

Previously, this hadn’t been much of a concern, as we would direct students to the bookstore to purchase a new copy of Windows XP Professional (if they hadn’t already purchased a copy) and then use that to reinstall the operating system. Now that Vista is out, there are either very few or no copies of XP to be found at the bookstore, and some computers come to us that installing Vista on is simply not an option.

I thought I was out of options, but then I recalled that the UBCD has a program that could be helpful, Windows XP Setup Launcher. What it does, is allow you to pick a path to install Windows XP from. You cannot pick the Windows directory itself, as these are the post-installation files, but the computer did have an I386 directory, which has the compressed files that are used in installing Windows. I copied that directory to an external hard drive and ran Windows XP Setup Launcher. Using another UBCD program, Keyfinder, I got the computer’s Windows product key, which I needed to complete the setup process.

There were some issues along the way of course.

At one point, I was getting an error message of some kind because mstask.ini could not be found in the I386 folder. Now, for creating the UBCD, I have the contents of a Windows XP installation CD stored on my computer, and it just so happened that mstask.ini was already there. The contents were simply:

[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}

However, in case this was a file that was or needed to be different per computer, I searched for the entire second line shown above. While there were a number of sites that came up, this was the first site listed, and the inline comment for that CLSID of “Makes the task folder work” was enough for me to assume that this was something standard that could be copied over. Sure, most of the information that initially comes up is for Windows prior to XP, but it my assumption was correct, as I was able to continue on to bigger and better errors.

The next error was a pain to deal with, as the installation would through the following message at me:

Windows cannot load internet configuration utility ICFGNT.DLL. The specified module could not be loaded.

This is where I, unfortunately, get forgetful. I wasn’t taking exact notes on this, and as the case was, there were multiple errors going on at the same time that I was trying to resolve. Always remember: fix one thing at a time. In regards to this, I’m sure I did the following, and as listed later, I tried some of these multiple times:

• I will say that this site/forum post offered the most assistance. I applied the edits to txtsetup.sif that are listed, even though I was not using the exact software listed. It didn’t appear to harm the system and I do believe it helped. These were as follows:All added to the [FileFlags] section of txtsetup.sif
  BNTS.DLL = 16
TSHOOT.DLL = 16
SNIFFPOL.DLL = 16
SSTUB.DLL = 16
SSDPSRV.DLL = 16
SSDPAPI.DLL = 16
UPNP.DLL = 16
UPNPHOST.DLL = 16
UPNPCONT.EXE = 16
UDHISAPI.DLL = 16
• I downloaded a copy of icfgnt.dll, as I could not really found a copy in the I386 folders I had access to.

Something there did the job, as I was able to get the computer up and running. I had also saved the drivers and dell directories to the external drive so that I would be able to install the hardware Windows couldn’t, and fortunately, everything was there as needed. You’d think that would be the end of it, but you would be wrong; so very, very wrong.

Sure, the computer was running, but one of the Windows Security Alert balloons that pops up after a fresh install caught my eye. If I’m correct, it may have been telling me that the computer did not have any antivirus software installed. I don’t know for sure, as the message was not in English; in fact, it was definitely a Middle Eastern language, but I’m not sure which. For the purpose of listing it, I’m going to say it was Arabic. I didn’t think this was going to be an issue, but then I started to use Windows. Here’s what I remember finding in Arabic:

• All of the Windows Security Center
• The Start menu item for setting default applications and settings
• The Hardware and Remote tabs of System Properties

So, I try the re-installation process again, making sure to do an attended install and not an unintended one, which of course, did not solve the problem. This was starting to bother me, as I could find no real reason why it was happening, then it hit me: everything that was showing up in Arabic was something that had been changed with Service Pack 2. I grabbed one of the SP2 discs we have from a couple years ago and “installed” it on the computer. One reboot later, and all but one item (default applications and settings) was in English. I connected to the Internet and initiated an update of 90-some items, and following that reboot, the computer was, as far as I could tell, all in English again.

Was this computer a pain to deal with? Yes. Did I enjoy working on it? You better believe it. It was nice to have a computer come in that was fubar and find a unique way to solve the problem, which I can now tuck away as an option for further issues I may face. Also, since nothing jumped out at me when I was searching for this, I’m more than glad to add it to the collective knowledge of the web. Just be sure to leave a comment if you find this useful.

So, for whatever reason, Meghan’s computer went stupid this morning and kept rebooting; I couldn’t even get it into safe mode and her monitor did not want to work, something I’ve seen on three separate HP Pavillion monitors. After all, I had problems when I had my HP Pavillion (monitor and hard drive), Ryan had problems (hard drive), and Meghan has had problems (2 Pavillion monitors and hard drive), so I’m not too surprised.

Anyway, I had to connect her computer up to my monitor to even see what was going on, and even then, I couldn’t actually get to see the error message. I realized, though, there was one thing I could do: set my digital camera to video mode and simply record the screen as the computer booted. Once I captured the flicker of information before the reboot, I played the recording back, and then went frame by frame to the point that the message was displayed. All in all, that took about 2 minutes to do, which took less time than had I tried to boot to the command prompt to try and then run the registry to turn off the registry key that causes the reboot after a system crash. Sometimes you just have to be resourceful.

I was able to get the information off of the hard drives by connecting them to my computer, but there were some files that were corrupt. While I was copying some of the files, I kept getting an error message that couldn’t be true. The hard drive on Meghan’s computer was 40 GB, and mine is 233 GB. There was one folder that didn’t want to copy, because it supposedly had over 4 PB of data and I didn’t have enough room.

How much room do I need again?

One TB (terabyte) is 1000 GB, so one PB (petabyte) is 1000 TB. Somehow, what ever quantum particle hit the hard drive really did a number on it. I’m just goin gto leave it at that for now and deal with it tomorrow after I can go to work and get a UBCD.

3.99 PB. Sheesh.

Also, since I had never really had to boot her computer into safe mode, I noticed that the option available to me was “Microsoft Windows Whistler Professional”. I really don’t recall ever seeing this, but a quick google found an article on PC World:

Though still whistling, Microsoft’s next desktop operating system is finally stepping out of the dark with this week’s release of Whistler Beta 1 to a limited group of developers and hardware vendors. (See “Microsoft Releases Whistler Beta.”)

The successor to both its consumer-oriented Windows Millennium Edition and business-strength Windows 2000 operating systems, Whistler is due on store shelves in the second half of 2001. But Windows 95 stalwarts beware: you won’t be able to simply upgrade Windows 95 machines to Whistler.

So, Meghan’s computer, which she would have purchased sometime in 2001, technically has one of the earliest versions of XP on it. Every other aspect tends to report that it is Windows XP Home, not Whistler, so I’m surprised by this. Well, you learn something new every day.

On campus we had a nice piece of malware appear on some computers in the Bowen-Thompson Student Union. My sample required that I open a file that was either on the desktop or on a USB drive, which was made to look like a Microsoft Word document, and unless you had the option to show file extensions, you would assume it was a .doc, but it was actually an .exe. Once this was done, the malware would infect the C:\ drive and the USB drive with at least 3 files I am sure of, apply a handful of policy settings, and make other changes to the registry. One of my student workers, Matt Sigley, assisted me in determining which files and settings were added or changed.

I would have expected Google to give me a better answer, but I was really unable to find anything that met my search criteria. As a result, I’m posting this here so that other’s can see was needs to be done. This is as complete a list of what needs to be done that we were able to determine, and the machine otherwise appears to be clean. I do not take responsibility if you remove files or change a setting you need as a result of these items, but again, it worked for us.

Remove
------------------------------------------------
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableTaskMgr: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableRegistryTools: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\NoFolderOptions: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\LimitSystemRestoreCheckpointing: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\DisableMSI: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Nofolderoptions: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCMD: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disable: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\winxp: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet002\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
C:\\WINDOWS\\winxp.exe
C:\\WINDOWS\\winword.exe
C:\\Win Firewall.txt
C:\\The Science of becoming Rich.exe
C:\\My Cv.exe
C:\\The Biography of Adolf Hitler.exe
Also possible: C:\\Database.exe
Also possible: C:\\Tasks.exe

Change
------------------------------------------------
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\exefile\\: "File Folder"
to
HKLM\\SOFTWARE\\Classes\\exefile\\: "Application"

HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe "C:\\WINDOWS\\winxp.exe""
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\winxp.exe"
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000001
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000000

The keys that begin with HKU\S-1-5-21- may have different numbers than those listed above, but just keep going and ignore whatever you have in place of 1482476501-1606980848-1957994488-1003. Also, if you have any other iterations, such as HKU\S-1-5-22-, HKU\S-1-5-23-, etc, check those directories and keys as well.

Some comments about the files it makes

The only .exe files I had were C:\The Science of becoming Rich.exe, C:\My Cv.exe, and C:\The Biography of Adolf Hitler.exe, and the two listed as possible were reported to me by our network security people. The files created by the malware were C:\WINDOWS\winxp.exe, C:\WINDOWS\winword.exe, and C:\Win Firewall.txt. That last one tries to mislead you by listing some information about two pieces of malware, so this one could be a derivative work of either or both of those malware, and based on my Google Web History, I believe they were rontokbro and sircam, as I don’t have a copy of that txt file still around. However, when looking to see what those could do, I found none of their signatures on the computer. There’s also the fact that C:\WINDOWS\winxp.exe is typically related to bagle. This is also one of the few cases where C:\WINDOWS\winword.exe is related to the malware.

The other thign to keep an eye out for is that if you try and runa a program while infected, let’s say Firefox, you may end up with some files in C:\Program Files\Mozilla Firefox or elsewhere on the hard drive. Fortunately, it’s easy to find exactly where they go, as they share the same file size and creation date as winword.exe and winxp.exe, so you may just have to do a search to find all of them.

Overall, we used the following programs to keep track of what was happening and/or resolve things:

• We did have to use the UBCD in order to get access to these files and the registry, as the malware prevents the use of the registry and .exe files without making it reference the malware. If you would try and boot into Safe Mode, you’d also be using the malware, which would still prevent you from getting to regedit easily. We used RegEdit (Remote) to change the registry.
• We used Regshot to track what the registry looked like before and after the infection happened, though we did have to use to UBCD to make the change below to run the .exe file first.
• While it gave much the same information as Regshot, Deckard’s System Scanner was also used in stead of just using HiJack This.
• We also used a program to fix IE and the explorer shell, just to be sure. I’m not sure if we made it or found it, but we call it FixShell.bat.

At work, we use a tool called Ultimate Boot CD for Windows (UBCD). What this does is allows us to place the CD into a computer that isn’t booting, such as with malware issues, missing .dll files, etc, but not hardware issues, and boot up a version of Windows that is loaded into the system’s memory. By doing this, we can then edit the registry, even if there is malware that would hide the registry entry via a rootkit, delete problem causing files, such as worms that have a known file name, and even back up the files to an external USB HD, so that a client’s information can be saved prior to a format of an otherwise dead system.

I had been asked by my boss, as well as searching independently prior to his asking, for a way to laod the UBCD version of Windows off of a USB drive instead. I had found some sites that gave ways to attempt it, such as Windows In Your Pocket off of Tom’s Hardware, but for whatever reason, that method proved to not work. Earlier this week I decided to give it another go, and I managed to find a program that would make a USB drive bootable and then load a BartPE (Bart Preinstalled Environment) installation onto it. BartPE is what the UBCD is built around, with the UBCD adding many more plugins and other tools to BartPE.

In order to do this, you will need the items listed below. I’m am going to mention the items needed to create the UBCD build as well.

1. Follow the directions on how to build the UBCD4Win:
   1. A Windows XP CD, with at least Service Pack 1. I know that at BGSU, the bookstore is selling Windows XP on DVDs. I imagine that it really doesn’t affect the process, but don’t quote me on that. If your CD does not have Service Pack 1, you could the service pack and create a bootable CD.
   2. BartPE, UBCD4Win, and the UBCD4Win drivers, from the UBCD4Win download page.
2. Download PeToUSB and extract it to a folder on your hard drive.

Now that’s left is to follow the directions for building the UBCD4Win and then the readme file for Boot BartPE from USB, and eventually, you’ll have a bootable USB ready to go. I personally used a 512MB Cruzer Titanium. The only downside was that I ended up only having 70MB free once everything was said and done. As UBCD4Win has more on it than BartPE, you could remove items you don’t need from UBCD4Win, or just use BartPE, to get more available room on the USB. Prior to placing UBCD4Win on the USB drive, I had placed BartPE on it, and it worked no problem.

Yes, not every computer out there can boot from USB, but most computers made in the last couple years can. So, if you are going to be working on older computers, you should make sure you have a actual UBCD around.

Now I have a bootable version of Windows with me on my keychain where ever I go.