Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Make secure USB stick for malware offline repair

28 Jan 2016   #1
UberGoober

Windows 7 Pro 64 bit
 
 
Make secure USB stick for malware offline repair

I have one of those baddies that takes over remotely by making your PC part of a domain and taking over SYSTEM and Trusted Installer. It also installs a hidden OS on the HDD, which DBAN didn't erase. I actually booted to it after the wipe, but couldn't get any credentials/user account to allow me to use/change anything.

A clean W7 install isn't a real install - it's a "spoof" version laid over their OS. If you try too many security/hardening settings changes, it locks you out of more and more access by graying out options. It loads its own versions of drivers, and I can't update even with offline mfgr. versions.

Here's Device Manager view By Connection:
DevMgr.1.PNG
DevMgr2.PNG
DevMgr3.PNG

Downloading various scan/fix tools to the desktop as recommended really doesn't work, because SYSTEM already has a spoof version it loads instead of the new file - all scans take about 6-30 seconds for a 250GB HDD. So...

Is there a way to make an absolutely secure USB stick on a clean PC with versions of these programs that run offline? A way that guarantees this malware can't hide on the USB stick?

Thanks, UberGoober




Attached Thumbnails
Make secure USB stick for malware offline repair-devmgr.1.png   Make secure USB stick for malware offline repair-devmgr2.png   Make secure USB stick for malware offline repair-devmgr3.png  
My System SpecsSystem Spec
.
28 Jan 2016   #2
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

DBAN should and does wipe everything on a drive if it is used properly. DBAN has worked for thousands if not millions of people.

A Clean Install by itself does not wipe everything.

Here is a tutorial by Kari. Give it a good read. Don't be fooled by the name of the tutorial.

Windows 7 Installation - Prepare PC to be Sold
My System SpecsSystem Spec
28 Jan 2016   #3
ron7000

Windows 7 x64, ultimate/pro/home, SLES x86 & ia64
 
 

Quote   Quote: Originally Posted by UberGoober View Post
1) It also installs a hidden OS on the HDD, which DBAN didn't erase.
2) I actually booted to it after the wipe
3) A clean W7 install isn't a real install - it's a "spoof" version laid over their OS
1) i find that very hard to believe.
2) this implies you didn't actually wipe the drive.
3) i am confused on this one, you seem to be saying there is no way to do a clean install?

are you using a legal working copy of windows to do your reinstall?
Other than the retail/oem windows XP and windows 7 discs i have bought from newegg over the years, I use the Dell restore disk for Dell computers and have never had a problem.
I don't even bother to wipe or dban a drive, after booting to the windows dvd for reinstall just delete all partitions on the drive then let windows install on what it then sees as an unpartitioned drive.

once windows is installed and you log in, then you may have drivers missing under device manager. that is completely normal, and you need to get those drivers from a safe and credible source...
like for dell computers i go to support.dell.com or if i need motherboard drivers for an asrock board then i get those from asrock.com. I suspect you might be reinstalling software/drivers you think is legit but is infected and you yourself are unknowingly reinstalling your problem.
My System SpecsSystem Spec
.

30 Jan 2016   #4
UberGoober

Windows 7 Pro 64 bit
 
 

Thanks for replying to my post, ya'll! It's kind of you to volunteer to help us with our 'puter problems.

Respectfully, I really don't want to argue about whether I'm infected with a RAT (https://technet.microsoft.com/en-us/.../dd632947.aspx). Been there, done that (Malware installed a hidden virtual HD/OS on C: partition). Let's just assume I'm correct that I'm infected, OK?

BTW, I already wrote and tried to post this reply, forgetting about the glitch where the "Post" button always redirects me to the sign-in page when I'm already signed in. So I lost my work. This time I'll copy it to note pad, sign in and try posting again.

I got A+ certification in 2011 just for my own edification, so I do understand all the doubts you've presented me with. I'll address the ones in your posts. Then we drop it and concentrate on a wipe solution and guaranteed secure USB stick, OK?

Got this PC from Newegg. It's a Joy Systems officially-refurbed HP 6005 Pro SFF with W7 Pro SP1. The disk sent with it is Microsoft-branded and labelled "Intended for distribution with a refurbished PC". HP, AMD, Broadcom, Realtek, etc. drivers used to load when installing from the disk, not all that garbage shown above, which cannot be changed, period. Any attempt to use a driver installer pkg. results in a huge, blinking "ERROR!" message, and a reboot is forced. That's why I'd like to try a secure USB offline install.

The mouse and keyboard driver alerts are one clue analysts use to detect a RAT - you can't update, roll back or install new ones. They are needed by some of the hundreds of Authorized Users allowed to log onto my PC remotely.

The boot menu screen always shows a PXE Boot Agent. I have to "Ctrl+S", save settings, then designate the boot device. The DVD drive spins, but what is actually installed is a restore of the Remote Admin's original setup, just like in your company domain.

Even with complete disconnection from the network and internet (I use Ethernet cables only), the original setup is restored. It has to come from somewhere on the HDD.

I've used DBAN since it only came on floppies. It's now on a CD I've used successfully on numerous HDDs people asked me to dispose of for them. After these wipes to my HDD, I still couldn't make a whole-HDD partition with DISKPART or any of my 3rd-party programs. Between 8 and 12 GB are missing when you do the math with 1,024 bits after each wipe.

Neither do the "clean" or "clean all" commands work, even using the hidden elevated admin account. And I reviewed everything very carefully all 3 times I tried - no syntax or spelling errors in my commands - yet the only response to "Enter" execution are error messages that there's no such command or syntax is wrong.

So, any ideas to get the drive fully wiped and/or create a truly secure USB stick?

Thanks for any efforts you invest for trying to help me - I tried to write in an upbeat, friendly tone, but don't know how it'll come across to ya'll on reading it. I honestly do appreciate it.

UberGoober
My System SpecsSystem Spec
30 Jan 2016   #5
maxseven

Windows 7 Home Premium 64bit 6.1 Build 7601 (SP1)
 
 

Quote   Quote: Originally Posted by UberGoober View Post
Downloading various scan/fix tools to the desktop as recommended really doesn't work, because SYSTEM already has a spoof version it loads instead of the new file - all scans take about 6-30 seconds for a 250GB HDD. So...

Is there a way to make an absolutely secure USB stick on a clean PC with versions of these programs that run offline? A way that guarantees this malware can't hide on the USB stick?
Yes, you make your repair tool on another PC.
My System SpecsSystem Spec
04 Feb 2016   #6
ron7000

Windows 7 x64, ultimate/pro/home, SLES x86 & ia64
 
 

Quote:
Got this PC from Newegg. It's a Joy Systems officially-refurbed HP 6005 Pro SFF with W7 Pro SP1. The disk sent with it is Microsoft-branded and labelled "Intended for distribution with a refurbished PC". HP, AMD, Broadcom, Realtek, etc. drivers used to load when installing from the disk, not all that garbage shown above, which cannot be changed, period. Any attempt to use a driver installer pkg. results in a huge, blinking "ERROR!" message, and a reboot is forced. That's why I'd like to try a secure USB offline install.

Even with complete disconnection from the network and internet (I use Ethernet cables only), the original setup is restored. It has to come from somewhere on the HDD.
this makes me think of what i typed above after #3.
I'm thinking of 2 things-

1) the media you are using to reinstall is already corrupted; basically no different than buying a department store pc with malware already on it which we all know about and hate. And is why we build our own computers, with buying a legit oem copy of win7 from someplace reliable. I tried years ago a purchased copy of win7 ultimate from ebay, was less than $50. it was counterfeit, but everything about it looked legit with the one thing being the seal on plastic dvd case had been razorbladed so it had been carefully opened. I was in denial thinking it couldn't be that rampant, but it is.
So i suspect your "disk sent with it is Microsoft-branded and labelled Intended for distribution with a refurbished PC" might be bad, and every time you use it to reinstall you are just reinstalling your malware.

2) hardware in that joy systems has malware in the firmware, and is reinstalling itself within windows. not common but not unheard of. Reminds me of the sony copy protection firmware rootkit scandal years ago. would not surprise me that malware is present at the hardware level. I said above that i have purchased oem windows 7 discs from newegg, i trust them for that. but it would not surprise me if they are selling refurb'd pc's that are malware infected at various levels.

for #1 the way to validate would be to install (if possible) that copy of windows on different hardware, different hard drive, off network, to see if the problem persists. if so it's coming from that dvd.
for #2 to somewhat validate would be to get a new legit copy of windows for $100 and install on new hard drive in that joy systems box, off network, and see if problem persists. if so then i would suspect something on motherboard has malware in the firmware, that exposes you once you have an internet connection.

And you should be able to modify bios settings and disable PXE boot. if not then that further points to the refurb pc, which it's possible the installed bios has malware. see if you can identify the motherboard and get a new bios version direct from the manufacturer.


the first sentence in the link: Malware installed a hidden virtual HD/OS on C: partition
they left 12GB of hard drive unaccounted for when wiping
that was the problem.
I disagree with the notion "it has to come from somewhere on the hard drive" with one exception,
and that is the firmware on the hard drive can also be malware. The simple solution here is to scrounge a new hard drive you are sure is ok.
My System SpecsSystem Spec
09 Feb 2016   #7
UberGoober

Windows 7 Pro 64 bit
 
 

Hi, maxseven

My last sentence wasn't clear. I meant in order to prevent the malware from loading itself onto the USB stick while I'm trying to run the applications. I've already made a stick on a clean PC - the malware on my PC corrupted it so none of the scanners work any more.

For instance, has anyone used Panda Vaccine? Did it work for you?
What about the sticks with "read only" switches?

Any suggestions or info gratefully accepted! UberGoober
My System SpecsSystem Spec
10 Feb 2016   #8
UberGoober

Windows 7 Pro 64 bit
 
 

Thanks for replying again, Ron. My thoughts in purple...

1) the media you are using to reinstall is already corrupted; basically no different than buying a department store pc with malware already on it which we all know about and hate. And is why we build our own computers, with buying a legit oem copy of win7 from someplace reliable. I tried years ago a purchased copy of win7 ultimate from ebay, was less than $50. it was counterfeit, but everything about it looked legit with the one thing being the seal on plastic dvd case had been razorbladed so it had been carefully opened. I was in denial thinking it couldn't be that rampant, but it is.
So i suspect your "disk sent with it is Microsoft-branded and labelled Intended for distribution with a refurbished PC" might be bad, and every time you use it to reinstall you are just reinstalling your malware.

That's certainly a real-world scenario, but I don't think it's the case here. I clean-installed on a better HDD I already had soon after getting the Joy PC, and Win7 did none of the odd things that happen now when I try to clean install. I used that install for over a year with no problems.

2) hardware in that joy systems has malware in the firmware, and is reinstalling itself within windows. not common but not unheard of. Reminds me of the sony copy protection firmware rootkit scandal years ago. would not surprise me that malware is present at the hardware level. I said above that i have purchased oem windows 7 discs from newegg, i trust them for that. but it would not surprise me if they are selling refurb'd pc's that are malware infected at various levels.

You're right - all the firmware is corrupted. The Win7 disk originally installed HP-branded firmware, device drivers, etc., and DevMgr used to show the HP proprietary device model names and numbers. Now it's all generic, non-mfgr.-specific. None of these problems were present before I noticed that Remote Desktop, which I'd turned off, was suddenly in the Start menu.

for #1 the way to validate would be to install (if possible) that copy of windows on different hardware, different hard drive, off network, to see if the problem persists. if so it's coming from that dvd.
for #2 to somewhat validate would be to get a new legit copy of windows for $100 and install on new hard drive in that joy systems box, off network, and see if problem persists. if so then i would suspect something on motherboard has malware in the firmware, that exposes you once you have an internet connection.

I performed your #1 on a Dell with Vista with about the same specs as this PC, doing a custom clean install on a DBAN'd HDD with my Win7 disk. Worked perfectly until I went to Windows update. I'm just convinced I've got a Remote Access Trojan from what I've read about their behavior and how my PC is acting. It then allows installation of the kinds of malware you're referring to.

And you should be able to modify bios settings and disable PXE boot. if not then that further points to the refurb pc, which it's possible the installed bios has malware. see if you can identify the motherboard and get a new bios version direct from the manufacturer.

Oh, no, the purveyors of this poop are much smarter than that! They simply set up a Setup Password for themselves. I used to look at BIOS settings all the time to learn the terminology I didn't understand. One day I was locked out.

I tried installing the firmware & drivers I had put on a USB stick using a clean PC. Trusted Installer denies all access.


the first sentence in the link: Malware installed a hidden virtual HD/OS on C: partition
they left 12GB of hard drive unaccounted for when wiping "They" means DBAN and the various other programs I tried to wipe the disk with, not the way it came from JOY, where I could account for all kB on the drive.
that was the problem.
I disagree with the notion "it has to come from somewhere on the hard drive" with one exception,
and that is the firmware on the hard drive can also be malware. The simple solution here is to scrounge a new hard drive you are sure is ok. I've already infected 5 HDDs from PCs people wanted to get rid of if I'd wipe their data. Had DBAN'd all of them on the old XP box I recycled, which was running fine, but it was a security concern to me (How ironic!).

I'd really like to try wiping an infected disk successfully if you know of any new programs to try.

Thanks again. UberGoober
My System SpecsSystem Spec
10 Feb 2016   #9
UsernameIssues

W7 Pro SP1 64bit
 
 

Panda Vaccine is not going to help you.

A USB flash drive with a write-protect switch will prevent the flash drive from getting infected.

There is a possibility that the computer's BIOS is infected and the computer is toast.
My System SpecsSystem Spec
10 Feb 2016   #10
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Try booting any live Linux distribution from USB/DVD, and from the terminal run the dd command:

Code:
dd if=/dev/urandom of=/dev/<target device>
This will write a random mix of 0 and 1 across the entire disk. Nothing will survive this wipe. For 500GB this will take about 6hrs.

If you are paranoid, run dd a second time immediately after the first, using the same command.
My System SpecsSystem Spec
Reply

 Make secure USB stick for malware offline repair




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Discovery ok but sharing settings won't stick. Possible malware?
Windows 7 Professional SP1 Security: Microsoft Security Essentials & Windows Firewall On the problem computer I can enable network discovery, but I can't turn on File and Printer Sharing or Public Folder Sharing. The problem is the same using either a USB wireless device or using a CAT5 to the...
Network & Sharing
start up repair offline
Hello i have a problem with my laptop Compaq "when i try to boot my laptop its give me windows is loading files and then get me to start up repair and search for a problem but its say that system repair is offline :( i have search for a any solution but i didnt fined anything . also try to boot...
Performance & Maintenance
Startup Repair offline?
For some reason my PC doesn't seem to want to load windows 7. I've had no problems until today, the only things i have changed is that I installed Bioshock 2, after I installed it my PC stopped reading DVDs yesterday (until I reset it, then continued to work normally). For some reason when I turned...
BSOD Help and Support
Startup repair offline?
Here it is hand typed since I am on my phone Windows 7 x64 home premium Problem went name. Startup repair offline Problem signature 01. 6.1.7600.16386 Problem signature 02. 6.1.7600.16385 Problem signature 03. Unknown Problem signature 04. 21200723 Problem...
General Discussion
Offline Files - Make Files or Folders Available Offline
How to Make Network Files or Folders Available Offline in Windows 7 and Windows 8 If you work with files on a network, you can make the files available offline so you can access them even when your computer is not connected to the network. This is especially useful if you use a laptop to...
Tutorials


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:43.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App