Posted 16 March 2005 - 04:54 AM
Is anyone aware of any malware that specifically targets the default certificate store on a Win2K system?
Recently, an increasing number of our users have been experiencing the issue wherein, upon logon to the Win2K system, the computer presents the error message:
Windows File Protection error
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows 2000 Server CD-ROM now.
Inserting said CD seems to result in files being accessed (copied?) ... yet the error recurs upon subsequent logon. If, otoh, one "cancels" the above dialog, another short error is displayed, after which one can go on using the system as normal (again, though, the error recurs upon next logon).
An additional symptom for some users is that access of certain secure sites, such as Webex or a banking site, results in certificate errors where one wouldn't expect them. One user, upon connecting to the Webex site, continually sees the error “Revocation information for the security certificate for this site is not available. Do you want to proceed?” Clicking yes to continue, however, causes the browser to still hang up while trying to connect to a conference. (this, I suspect, is merely a symptom of the "no certificate" problem detailed below)
Microsoft KB articles we've found that seem relevant to this issue include Q293781, Q296241
The resolution detailed in the latter article (importing the No Liability and MS Root Authority certificates from a "clean" computer) is one that we've been using with limited success - sometimes this works around the "error message at logon" problem (though it doesn't seem a complete resolution), sometimes not.
What's most troubling, though, is that upon accessing the Certificates MMC on the afflicted system one sees that there are absolutely no certificates installed on the OS (as opposed to a fresh/clean system, which seems to have hundreds)!
The single common thread among most (all?) of the systems exhibiting this behaviour is that they've seen relatively heavy malware (adware/spyware/etc) affliction.