Category: Windows Vista


Recently I encountered a computer that would not let me turn on the file and printer sharing in Vista. When attempting to turn on printer sharing, there was a message. Everytime I tried, I was giving a message that said something I can no longer remember. If I do, I will update this post.

Through a little work, I discovered that the Base Filtering Engine service was deleted. This was done by malware. The fix was easy enough. I just followed the instructions at the link below. It has registry files to repair the BFE service for Vista and Windows 7.

http://www.hageltech.com/blog/2012/02/07/base-filtering-engine-problems.html

This would be a good place to also provide two other commands that can fix network problems. Both must be run as an Administrator.

  • netsh int ip reset resetlog.log
  • netsh winsock reset

Also be sure to use Kaspersky’s TDSSKiller because if BFE is missing, chances are good the computer has a rootkit or an infected MBR.

 

A Windows Vista laptop is currently not booting. System Restore did not work. The customer said the blue screen of death appeared but I never saw it. The system file checker in the recovery console did not work, even though it said it found corrupt files but was unable to fix them. I tried chkdsk and bootrec /fixboot and bootrec /fixmbr from the recovery console already on the computer. When I was attempting to boot in safe mode, the boot process stops after loading hal.dll.

Because bootrec did not work and because safe mode stopped after hal.dll, I thought it was a virus infecting one of the Windows files. That is why I ran the system file checker. So I decided to scan the hard drive for viruses.

I pulled the hard drive and scanned with Eset on my computer. Eset discovered a boot sector rootkit and several other rootkit files on the computer, but didn’t clean any of them. (If I copied some of the files to my hard drive, Eset removed the file of my hard drive. Eset tends to be better for keeping things off rather than getting things off.) I found this interesting because I ran bootrec already which should have cleared and recreated the Master Boot Record and boot sector. Since Eset didn’t clean the boot sector, I ran Kaspersky’s TDSSKiller and that cleaned the boot sector.

I didn’t try to run the bootrec or bootsect commands from the Windows 7 disc. I wonder if these new rootkits alter the built-in recovery console so that the bootrec command does not clear the boot sector rootkit. From now on, if I suspect there is a rootkit I will boot using the Windows DVD and then try to fix the boot sector.

These are malware types Eset identified: (Eset tends to use their own name and not an industry standard name.)

  • Kryptik.AGVE trojan
  • Kryptik.AHVU trojan
  • Olmarik.AXY trojan – This is Eset’s name for the TDSS rootkit