-
February 16th, 2011, 04:38 PM
#11
Member
Thanks for your input. It happened again to him this morning. As was mentioned I do not believe it is pebkac because no matter how high up the admin chain you go you still can't delete the contents of the windows folder while it is running (so far I haven't not seen a way)... I have tried. Even so he is a normal domain user meaning he has no admin rights.
Hardware issues I ruled out because it happens on his virtualbox, normal desktop (tried two different models) and his laptop. We used three different OS versions with different sp's (about 12 different cd's/dvd's thinking that the install was bad. It happens in XP, Vista, and Win 7 with no prompting and most times he isn't at his desk when it occurs (here was in the field yesterday afternoon and this morning his machine was all hosed again).
Enlighten me on the new Window's Feature... is it similar to the meat virus?
In the meantime I'll mimic his environment on a honey pot and see what happens... if I find out I'll let you all know
-
February 18th, 2011, 02:36 AM
#12
In the meantime I'll mimic his environment on a honey pot and see what happens... if I find out I'll let you all know
Hi, that suggests to me that you suspect a targeted malicious attack?
I wonder about that, given that you must have one hell of a knowledge of the inner workings of Windows to pull it off?
My advice remains:
1. Create a new account, new password, new everything.
2. Do not copy anything from the old account..........manually enter it yourself.
3. Give it to him and tell no-one.............in particular NOT your IT colleagues............if this is malicious it isn't a bloody prole that is doing it; it is one of your own!
Then see what happens.............obviously he should log into the "old" account as well as the new one, just to provide a smokescreen. And make sure that he knows to keep his mouth shut!
If there are no problems with the new account then stop logging in and out of the old one.
If you start to get the old problem again then it is almost certainly a deliberate attack by someone in the IT department
Is he screwing somebody's wife/daughter?............he must be pretty mild mannered to have let this go on for two years?
Your handle suggests that you are a Linux fanboi?.............forget it, and do this the Winders way............he needs a "witness protection scheme"?
I hope that you don't mind if I am brutally frank and honest with you?.....these circumstances are so unusual that I would swallow my professional pride and actually involve Microsoft...............something that I could count on the fingers of one hand in the last 25 years!!!
You see this affects XP, Vista and & 7, so it has to be endemic?.......that alone should get M$ interested?
BTW, you couldn't set up a Win 2000 instance on a test machine could you?...........I would suspect that you will get the same, as I suspect some deeply embedded Windows flaw...........probably exploitable?
I can see what dino is thinking, but you have tried this on more than one physical hardware setup? so it isn't the physical machine?
Please do not mess with the machine.............this could be your moment of glory?
-
February 22nd, 2011, 02:30 PM
#13
Not sure if this will help, but here is how to delete the windows folder while windows is running:
From a command line:
takeown /f C:\Windows\*.*
you may have to do this once or twice and specific files. Also run the command line as administrator.
Once you own the files, change permissions
cacls C:\Windows\*.* /G username:F
Repete the process on the WIndows directory and then hit delete. In explorer, the shell will crash half way through the system32 dir.
kill network services and explorer process, open a comman line and delete the entire windows directory. You should be able to get most of the files deleted before the system stops.
This process works best as a post boot command.
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
February 23rd, 2011, 07:53 PM
#14
-
February 24th, 2011, 07:52 AM
#15
Either someone is playing games (sounds like an epic games, going to try it on my mate sitting next to me) or its a user profile issue.
With alot of wierd things incl malware issues, a new user profile > all.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
February 24th, 2011, 08:40 PM
#16
I have ran across issues related to profiles where creating new profiles didn't work. i.e.,
rename profile to profile.old
logon and create new profile - problem comes back...
FIX Delete Profile
Logon and create new profile - problem doesn't come back...
I agree. Different boxes and only one user has the problem. Has to be profile related.
OP Please post what you find...
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
February 27th, 2011, 07:54 AM
#17
I'm pretty curious on this one too ...
what are you logging from the respected installs of the os?
Did you go into gpedit and manually set the audit policy to enabled for pretty much any event? (I know you're getting the logs remotely, but if you didn't increase the audit policy, then you're not getting a full picture)
As to the deletion ... remember "system" can do anything. So if the files really are getting deleted, its easier for a "system" task or someone elevated to system rights, to perform the tasks.
and how often has this happened over the 2 years?
PS. Here's a link for detailed process auditing on Vista which might help.
http://blogs.technet.com/b/askds/arc...-and-2008.aspx
Last edited by TG2; February 27th, 2011 at 08:07 AM.
Reason: addt'l info
-
February 28th, 2011, 05:35 PM
#18
Did I miss this part in all this discussion: what are common denominators each time? User and hardware, if I read it right (granted, I only skimmed the postings). Random BSODs are going to be a memory issue (hardware) -- will happen in both the VM and the host O/S.
Something else I missed further discussion on: "Upon inspection the windows folder is totally empty." -- all the files are *gone* when the happens, as in, an empty directory? Hard drive.
Forgive me if these are talked about already, but it sounds hardware related -- assuming they've all been constant throughout this. Or even power supply -- where the unit is plugged into. For example: the guy in the office across the hall from me had no issues until he got a new machine, then we noticed that every Monday when the backup generator came on and the power switched over to backup, it would BSOD and reboot. Didn't happen with the old computer -- we're chalking it up to a more sensitive power supply to the temporary drop in voltage -- most power supplies can handle this OK.
-
February 28th, 2011, 08:54 PM
#19
Yeah, you might have missed stuff ... unless I'm reading too much into the OP ... but it seems
1) only happens to this user
2) yes, files gone in the \windows directory
3) hardware not issue (as 4 points out, but also believe there was hardware swapping)
4) happens to user when using a Virtual Machine too
it clearly is associated with "user", forgiving stupid user doing it themself, it leaves a malicious *other* user, or rouge progam/app that user uses, reinstalls, site browsed too, etc.. before suddenly "poof" gone in 60 seconds (lol)
again.. *I* could be reading more into it ... but that's the gist of it so far...
-
March 1st, 2011, 04:05 PM
#20
Mykol,
I think that this is the bit you missed?
Hardware issues I ruled out because it happens on his virtualbox, normal desktop (tried two different models) and his laptop. We used three different OS versions with different sp's (about 12 different cd's/dvd's thinking that the install was bad. It happens in XP, Vista, and Win 7 with no prompting and most times he isn't at his desk when it occurs (here was in the field yesterday afternoon and this morning his machine was all hosed again).
So we have 3 different PCs and 3 different OSes................that cannot be hardware.
The only thing vaguely hardware like that I could think of was some sort of authentication token. But we don't know if he has one.
Similar Threads
-
By LiquidFlame in forum Newbie Security Questions
Replies: 5
Last Post: February 14th, 2008, 11:33 AM
-
By Jazzmaster in forum Training/Conference Reviews
Replies: 4
Last Post: December 4th, 2006, 08:12 AM
-
By domtheboy in forum Web Security
Replies: 10
Last Post: July 15th, 2004, 12:52 PM
-
By Viper2026 in forum AntiOnline's General Chit Chat
Replies: 9
Last Post: December 2nd, 2003, 04:53 PM
-
By Remote_Access_ in forum Security Archives
Replies: 7
Last Post: January 8th, 2002, 09:58 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|