Jump to content

Search the Community

Showing results for tags 'kb2859537'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. I spent my Saturday evening working on probably the most convoluted computer problem I’ve ever seen. This computer was infected with a rootkit virus that went undetected for who knows how long, no thanks to Symantec Endpoint Protection. I didn’t realize that at first though because there wasn’t any obvious signs of infection, and like I just mentioned, Symantec wasn’t throwing any alerts. Microsoft released a security update on Tuesday, KB2859537, that prevents a rogue application from hijacking the kernel via a particular exploit. Automatic updates installed it among 11 other updates Wednesday night. When staff came in Thursday, the computer was stuck at the “Starting Windows” screen. I started by attempting to fix the issue as if it was a problem with Microsoft Windows Update. I used every utility imaginable to clear/reset/fix Windows Update. I also reset the BIOS, screwed with the IRQs, sat through a system file check and hard drive check (which takes over an hour.) I even did a full hardware diagnostic to make sure the memory, CPU, etc wasn’t failing. Also removed unnecessary applications as well as Symantec to make sure nothing was interfering. I eventually narrowed the problem to a specific update by installing 1 update at a time, rebooting, next update, repeat. After identifying which update caused the computer to not load, I searched the web to see if others had the same problem. That’s when it happened: there was a dialog popping up in the bottom left of IE to install the latest Media Player. I had seen this dialog once before when I was on a Microsoft site today, and it looked official, so I didn’t think much of it. But now it was popping up on a non-Microsoft forum. I immediately downloaded TDSSKiller and removed two rootkits that it found (Rootkit.Win32.BackBoot.gen and Rootkit.Boot.Cidox.b.) Rebooted, installed and updated mbam. Rebooted into safe mode, ran mbamfull scan. It found 2 results (both Tojan.Vundo variants.) Rebooted and the IE popup was gone, but I ran ComboFix just to be safe. It found a few malicious files and folders (FunWebProducts, DownloadHelper to name a couple.) Then, I reset IE to make sure there wasn’t any lingering Add-ons. Next, I installed the August malicious software removal tool. After a reboot, I re-attempted to install security update KB2859537. This time, instead of locking up, the computer booted normally. Yay! Praise be to the computer gods. What was happening: KB2859537 corrected an exploit that a rootkit virus was using to hijack the computer. Because the exploit was fixed after installing the update, upon the next reboot, the rootkit is now blocked from functioning. This causes the entire computer to lock up and even BSOD in some cases. By removing the rootkit virus, I was able to install the security update without the computer locking up. I wish I could say that was fun. Hope this saves someone else some time. Update: If your computer is already locked up from the update, use your Windows disc to launch Startup Repair. During the repair, it will ask if it can use System Restore. Proceed through the menus and it will restore the computer to before the update was installed. I had a better success rate of doing this with the Windows disc than with F8 as the Rootkit corrupted the system restore utility. Source/proof: By request, I’ve gathered all of the logs from the computer and made them available to the public here. Via: Microsoft Update KB2859537 prevents PC from booting if Rootkit is present – James Watt
×
×
  • Create New...