Compromised WinXP box prob

I am self-employed; fixing computers for customers for a living.  I have
a customer's machine at home at the moment because I am stumped by a
problem on it.

I'll describe the history (AFAIK) up to this point - the customer was
running WinXP SP1 with Norton Antivirus.  They noticed a problem where
it looked like lots of e-mails were outgoing, Norton detected viruses
but wasn't able to get rid of them.  The customer rang Symantec support,
who spent about an hour doing remote assistance on their machine,
seemingly trying to delete the virus-infected files only to have them
recreated on reboot.  The Symantec guy gave up after a while and advised
the customer that they should get hold of a WinXP CD (I'm not sure what
their intention was at this point).  When the customer managed to get
hold of a WinXP CD, they rang Symantec back only to be told that they
should get someone local to deal with the problem.  Then the customer
called me.

When the computer boots, it seemingly does a normal Windows boot (the
normal Windows XP progress bar (green as it is Home Edition and pre
SP2), but then the next screen it shows is saying safe mode (no reboot
in between).  Standard welcome screen, but no accounts can log in ("your
account cannot log in due to an account restriction" - perhaps not
exactly word-for-word but the message looks like a genuine Windows
message rather than something crafted by a third party).  This goes for
all accounts on the machine including administrator.

I tried all safe modes and 'last known good' but same result.  Next I
tried the ntpasswd boot CD and reset all accounts' passwords, though
none of them said locked out/disabled etc.  Boot again, no difference.

I booted off my WinXP CD into recovery console, and as the customer
mentioned boot sector viruses, for the sake of being thorough I used
FIXMBR and FIXBOOT to rewrite the boot sector and MBR.  No difference to
normal Windows boot.  Again in recovery console, I checked for the file
names that the customer said that Norton mentioned.  Neither of them
were familiar, but I think I found one of them and renamed it to stop it
potentially executing on boot.  No difference to bootup.

I guessed that the 'account restriction' might be the 'log on locally'
right but I haven't found a way of configuring this.  I tried renaming
logonui.exe to cmd.exe but that command prompt won't let me run any
other executables (not enough quota message) such as ntrights.exe.  One
possibility I can think of is to set up a LAN with DHCP, put my laptop
on it and the machine in question and try to do ntrights over the
network but I would have thought that the firewall on that machine would
stop that attempt.  Of course I could be barking up the wrong tree with
this overall 'account restriction' theory.  I also tried having
REGEDIT.EXE run in the place of LOGONUI.EXE but it errors saying I
didn't supply it with an argument.  Eventually it gives up trying to run
it and goes to the winlogon classic UI, which unsurprisingly gives me
the same account restriction error.

The other problem I have noticed is that I saw a few iffy-looking
services in recovery console using LISTSVC but I can't configure the
service startup type as the command complains that there isn't a
CurrentControlSet key.

That last problem makes me think that this and the 'account restriction'
were inadvertently caused by Symantec support, perhaps one of their
removal utilities (which I've noticed one or two on C drive) has done
some damage.  My only other theory is that some over-zealous malware
writer has designed some sort of self-destruct system but I can think of
more effective ways of achieving such an end and overall I think this
theory is rather alarmist.

I've mounted the disk on my machine and virus-scanned it.  It has
removed a few assorted virus-infected files and cleaned up a couple of
others (such as lsass.exe - not misspelt), but the machine still doesn't
start.  I've backed up the customer's data and I have got the customer's
consent to nuke the installation but I would prefer not to if it isn't
necessary (and learn from this experience), though of course I don't
want to spend a huge amount of hours on this problem only to fall back
on the repair-reinstall/clean-install option.

If anyone has any ideas I would much appreciate hearing them!


--
Mike Moratz-Coppins
mike@...
http://www.mikeymike.org.uk/

With all the problems you've described on this box, you're better off nuking it and reinstalling from scratch. If you really want to play with it and learn from it, take an image of the hard drive before you do so (with, of course, the customer's consent). That way the customer gets back up and running quickly and you can perform forensic analysis at your leisure.

Be aware, though, with all of the access to the drive that you've described, you're going to have a very tough time actually determining exactly what happened. The fact that it is XP SP1 (not SP2) dramatically increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).  


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> it looked like lots of e-mails were outgoing, Norton detected viruses
> but wasn't able to get rid of them.  The customer rang Symantec
> support, who spent about an hour doing remote assistance on their
> machine, seemingly trying to delete the virus-infected files only to
> have them recreated on reboot.  The Symantec guy gave up after a while

> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.  
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows

> logonui.exe to cmd.exe but that command prompt won't let me run any
> other executables (not enough quota message) such as ntrights.exe.
> One
> possibility I can think of is to set up a LAN with DHCP, put my laptop

You need to consider the liability of imaging of clients data . If you are at some point compromised or there is a physical theft you are placing your business and the client at risk.

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows

Of course he needs the client's permission first, and he could possibly
remove sensitive data before imaging.  


____________________________________
Robert S. Slifkin
Email: Rob@...
Phone: 203.962.3878

-----Original Message-----
From: Jay [mailto:jay.tomas@...]
Sent: Monday, March 17, 2008 3:00 PM
To: Robert S. Slifkin; focus-ms@...
Subject: RE: Compromised WinXP box prob

You need to consider the liability of imaging of clients data . If you
are at some point compromised or there is a physical theft you are
placing your business and the client at risk.

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).  


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> it looked like lots of e-mails were outgoing, Norton detected viruses
> but wasn't able to get rid of them.  The customer rang Symantec
> support, who spent about an hour doing remote assistance on their
> machine, seemingly trying to delete the virus-infected files only to
> have them recreated on reboot.  The Symantec guy gave up after a while

> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows

> logonui.exe to cmd.exe but that command prompt won't let me run any
> other executables (not enough quota message) such as ntrights.exe.
> One
> possibility I can think of is to set up a LAN with DHCP, put my laptop

There is a difference between asking for permission and possible liability. Once you take that data you take on the liability of protecting it. They can say you can image it, but that doesnt stop them from suing you if you allow it to be compromised.

As far as removing sensitive data - umm isnt this what we are talking about forensic analysis. The deleted data could be recovered from the image.

Its a bad idea.

Jay

----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 16:36:25 -0400
Subject: RE: Compromised WinXP box prob

Of course he needs the client's permission first, and he could possibly
remove sensitive data before imaging.


____________________________________
Robert S. Slifkin
Email: Rob@...
Phone: 203.962.3878

-----Original Message-----
From: Jay [mailto:jay.tomas@...]
Sent: Monday, March 17, 2008 3:00 PM
To: Robert S. Slifkin; focus-ms@...
Subject: RE: Compromised WinXP box prob

You need to consider the liability of imaging of clients data . If you
are at some point compromised or there is a physical theft you are
placing your business and the client at risk.

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows

Its just me but have you looked for rootkits?

It may be more then just a simple virus. If the rootkit part of what you backed then you may not recover by a rebuild unless you scan the backed up files.
From the Blackberry of Stewart Cawthray


----- Original Message -----
From: "Jay" [jay.tomas@...]
Sent: 03/17/2008 01:59 PM EST
To: <rob@...>; <focus-ms@...>
Subject: RE: Compromised WinXP box prob



You need to consider the liability of imaging of clients data . If you are at some point compromised or there is a physical theft you are placing your business and the client at risk.

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).  


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.  
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows


********************
NOTICE OF CONFIDENTIALITY
This communication including any information transmitted with it is
intended only for the use of the addressees and is confidential.
If you are not an intended recipient or responsible for delivering
the message to an intended recipient, any review, disclosure,
conversion to hard copy, dissemination, reproduction or other use
of any part of this communication is strictly prohibited, as is the
taking or omitting of any action in reliance upon this communication.
If you receive this communication in error or without authorization
please notify us immediately by return e-mail or otherwise and
permanently delete the entire communication from any computer,
disk drive, or other storage medium.

If the above disclaimer is not properly readable, it can be found at
www.td.com/legal
                                                           
AVERTISSEMENT DE CONFIDENTIALITE                  
Ce courriel, ainsi que tout renseignement ci-inclus, destiné uniquement
aux destinataires susmentionnés,  est confidentiel.  Si vous
n’êtes pas le destinataire prévu ou un agent responsable de la
livraison de ce courriel, tout examen, divulgation, copie, impression,
reproduction, distribution, ou autre utilisation d’une partie de ce
courriel est strictement interdit de même que toute intervention ou
abstraction à cet égard.  Si vous avez reçu ce message par erreur ou
sans autorisation, veuillez en aviser immédiatement l’expéditeur par
retour de courriel ou par un autre moyen et supprimer immédiatement
cette communication entière de tout système électronique.

Si l'avis de non-responsabilité ci-dessus n'est pas lisible, vous
pouvez le consulter à www.td.com/francais/legale

I agree with Jay.  Even with permission, taking an image of an external
customer's system opens you and your business to a whole slew of
liabilities.  It is all well and good to look for educational
opportunities, but is it really worth the risk in this case?

You would be better off creating a "honey pot" for someone to exploit
and learn from that, than taking an educational image of someone else's
system.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Jay
Sent: Monday, March 17, 2008 5:28 PM
To: rob@...; focus-ms@...
Subject: RE: Compromised WinXP box prob

There is a difference between asking for permission and possible
liability. Once you take that data you take on the liability of
protecting it. They can say you can image it, but that doesnt stop them
from suing you if you allow it to be compromised.

As far as removing sensitive data - umm isnt this what we are talking
about forensic analysis. The deleted data could be recovered from the
image.

Its a bad idea.

Jay

----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 16:36:25 -0400
Subject: RE: Compromised WinXP box prob

Of course he needs the client's permission first, and he could possibly
remove sensitive data before imaging.  


____________________________________
Robert S. Slifkin
Email: Rob@...
Phone: 203.962.3878

-----Original Message-----
From: Jay [mailto:jay.tomas@...]
Sent: Monday, March 17, 2008 3:00 PM
To: Robert S. Slifkin; focus-ms@...
Subject: RE: Compromised WinXP box prob

You need to consider the liability of imaging of clients data . If you
are at some point compromised or there is a physical theft you are
placing your business and the client at risk.

Jay



----- Original Message -----
From: Robert S. Slifkin [mailto:rob@...]
To: focus-ms@...
Sent: Mon, 17 Mar 2008 13:41:41 -0400
Subject: RE: Compromised WinXP box prob

I agree, imaging if possible and a wipe is probably the best option.
Forensic analysis never hurts, but it shouldn't be done at the expense
of the customer (convenience, time to fix, etc).  


________________________________
Robert S. Slifkin
Email:  Rob@...
Phone: 203.962.3878

-----Original Message-----
From: listbounce@... [mailto:listbounce@...]
On Behalf Of Devin Ganger
Sent: Monday, March 17, 2008 1:34 PM
To: Mike Moratz-Coppins; focus-ms@...
Subject: RE: Compromised WinXP box prob

With all the problems you've described on this box, you're better off
nuking it and reinstalling from scratch. If you really want to play with
it and learn from it, take an image of the hard drive before you do so
(with, of course, the customer's consent). That way the customer gets
back up and running quickly and you can perform forensic analysis at
your leisure.

Be aware, though, with all of the access to the drive that you've
described, you're going to have a very tough time actually determining
exactly what happened. The fact that it is XP SP1 (not SP2) dramatically
increases the likelihood of malware's role in ruining this installation.

--
Devin L. Ganger, Exchange MVP      Email: deving@...
3Sharp                             Phone: 425.882.1032
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


> it looked like lots of e-mails were outgoing, Norton detected viruses
> but wasn't able to get rid of them.  The customer rang Symantec
> support, who spent about an hour doing remote assistance on their
> machine, seemingly trying to delete the virus-infected files only to
> have them recreated on reboot.  The Symantec guy gave up after a while

> and advised the customer that they should get hold of a WinXP CD (I'm
> not sure what their intention was at this point).  When the customer
> managed to get hold of a WinXP CD, they rang Symantec back only to be
> told that they should get someone local to deal with the problem.
> Then the customer called me.
>
> When the computer boots, it seemingly does a normal Windows boot (the
> normal Windows XP progress bar (green as it is Home Edition and pre
> SP2), but then the next screen it shows is saying safe mode (no reboot

> in between).  Standard welcome screen, but no accounts can log in
> ("your account cannot log in due to an account restriction" - perhaps
> not exactly word-for-word but the message looks like a genuine Windows

> logonui.exe to cmd.exe but that command prompt won't let me run any
> other executables (not enough quota message) such as ntrights.exe.
> One
> possibility I can think of is to set up a LAN with DHCP, put my laptop

This E-mail and any of its attachments may contain Time Warner
Cable proprietary information, which is privileged, confidential,
or subject to copyright belonging to Time Warner Cable. This E-mail
is intended solely for the use of the individual or entity to which
it is addressed. If you are not the intended recipient of this
E-mail, you are hereby notified that any dissemination,
distribution, copying, or action taken in relation to the contents
of and attachments to this E-mail is strictly prohibited and may be
unlawful. If you have received this E-mail in error, please notify
the sender immediately and permanently delete the original and any
copy of this E-mail and any printout.