Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advice on How to Proceed


  • Please log in to reply
3 replies to this topic

#1 Honorable Patches

Honorable Patches

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tulsa, Ok
  • Local time:03:57 AM

Posted 07 September 2012 - 12:35 AM

In this post I would like to present three Win7 Pro configuration features I believe indicate a complex system compromise. I could write several pages of observations which begin about six months ago when my integrated laptop cam light began to come on by itself. I strongly suspect the compromise includes a back door as I have observed the configuration changes are dynamic, active, and responsive to my efforts at mitigation and forensic analysis. I will provide as much background detail as needed but the course the malware and its operator(s) take changes and has continually improved and adapted becoming less and less detectable with each operating system reinstall. I've reinstalled and reconfigured windows 7 upwards of 15 or so times. Since disconnecting my integrated cam there seems to be much less interest (at least the changes made are less noticable and less aggressive). I've had a very stable and function OS with this build but I do not believe any of my efforts have had much effect on the overall infection.

The three features I'd like to present are relatively static compared to other changes I've seen. These are the same each time. There is probably much much more but I'm not a tech and don't know what I'm doing when it comes to this kind of thing. I just keep trying to wipe, reformat, and reinstall the OS. The first issue I present is a partition I have that I can not remove. I've tried Hiren's Boot Rescue CD and Darik's Boot and Nuke and wiped, zeroed, low level formatted, and written to the hard drive in an effort to clear the 100 MB partition shown below. All to no avial. It survives everything. It starts a fresh install with around 25MB and has increased to its present volume over the past four days. Here is what I show:

Posted Image


Secondly, on the root of every drive I have a file called "$RECYCLE.BIN" that is installed. If I plug in removeable media it also gets an "empty" folder of the same name. Its a non-hidden folder which is installed at the root at every drive or removable media I connect to my pc.

Posted Image

Third: I have upwards of 30 locked registry keys. Two are HKEY_USERS that have a windows live mail "progid" and the other 30 or so are all HKEY_LOCAL_MACHINE\Software keys.

Taken just these three facts I'm very curious for opinions and any advice on how I should proceed to invesigate this further and provide more useful information that could help to identify and resolve this. Thank you for reading.

/HP

Edited by Honorable Patches, 07 September 2012 - 12:37 AM.


BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:57 AM

Posted 07 September 2012 - 01:19 AM

Aside from the webcam light, which may or may not indicate more than a loose wire, all the symptoms you reported are normal and indicate nothing but proper function.

The System Partition will be created by the Windows OS installer every time you reinstall as it stores information for UEFI-based system boards and GPT partition tables. The $RECYCLE.BIN folders are created by Windows when a volume is created and are where files live after you delete them but before emptying your Recycle Bin. Finally, hundreds of registry keys are locked by Windows at any given time because Windows is using them or protecting them on purpose. Some registry keys will never be accessible from a running system, because they're critical and always in use.

Edited by Andrew, 07 September 2012 - 01:21 AM.


#3 Honorable Patches

Honorable Patches
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tulsa, Ok
  • Local time:03:57 AM

Posted 07 September 2012 - 05:36 AM

Thank you Andrew. What a relief! I certainly have a lot to learn about Windows. I started reading interesting stuff about penetration testing and methods before I finished the basics of Windows. I can now identify with the majority of conspiracy theorists: mix ignorance with some paranoia and you can find evendence of anything - in everything.

Thanks again, I appreciate your time.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:57 AM

Posted 07 September 2012 - 11:36 AM

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users