I spent my Saturday evening working on probably the most convoluted computer problem I’ve ever seen.
This computer was infected with a rootkit virus that went undetected for who knows how long, no thanks to Symantec Endpoint Protection. I didn’t realize that at first though because there wasn’t any obvious signs of infection, and like I just mentioned, Symantec wasn’t throwing any alerts.
Microsoft released a security update on Tuesday, KB2859537, that prevents a rogue application from hijacking the kernel via a particular exploit. Automatic updates installed it among 11 other updates Wednesday night. When staff came in Thursday, the computer was stuck at the “Starting Windows” screen.
I started by attempting to fix the issue as if it was a problem with Microsoft Windows Update. I used every utility imaginable to clear/reset/fix Windows Update. I also reset the BIOS, screwed with the IRQs, sat through a system file check and hard drive check (which takes over an hour.) I even did a full hardware diagnostic to make sure the memory, CPU, etc wasn’t failing. Also removed unnecessary applications as well as Symantec to make sure nothing was interfering.
I eventually narrowed the problem to a specific update by installing 1 update at a time, rebooting, next update, repeat.
After identifying which update caused the computer to not load, I searched the web to see if others had the same problem. That’s when it happened: there was a dialog popping up in the bottom left of IE to install the latest Media Player. I had seen this dialog once before when I was on a Microsoft site today, and it looked official, so I didn’t think much of it. But now it was popping up on a non-Microsoft forum.
I immediately downloaded TDSSKiller and removed two rootkits that it found (Rootkit.Win32.BackBoot.gen and Rootkit.Boot.Cidox.b.) Rebooted, installed and updated mbam. Rebooted into safe mode, ran mbam full scan. It found 2 results (both Tojan.Vundo variants.) Rebooted and the IE popup was gone, but I ran ComboFix just to be safe. It found a few malicious files and folders (FunWebProducts, DownloadHelper to name a couple.) Then, I reset IE to make sure there wasn’t any lingering Add-ons.
Next, I installed the August malicious software removal tool. After a reboot, I re-attempted to install security update KB2859537. This time, instead of locking up, the computer booted normally. Yay! Praise be to the computer gods.
What was happening: KB2859537 corrected an exploit that a rootkit virus was using to hijack the computer. Because the exploit was fixed after installing the update, upon the next reboot, the rootkit is now blocked from functioning. This causes the entire computer to lock up and even BSOD in some cases. By removing the rootkit virus, I was able to install the security update without the computer locking up.
I wish I could say that was fun. Hope this saves someone else some time.
Update: If your computer is already locked up from the update, use your Windows disc to launch Startup Repair. During the repair, it will ask if it can use System Restore. Proceed through the menus and it will restore the computer to before the update was installed. I had a better success rate of doing this with the Windows disc than with F8 as the Rootkit corrupted the system restore utility.
Source/proof: By request, I’ve gathered all of the logs from the computer and made them available to the public here.