Unauthorised deployment, MS Hotfix’s remotely deployed via CMD, non-stop silent system file corruptions, unattended installations – how can I protect?

30 pts.
Tags:
Microsoft Security
Microsoft Windows 7
Network security
Networking
Windows 7 deployment
Hi, I could really use some help securing my systems. I have been having some problems with deployment functionality being used to effectively supercede the BUILTIN Administrator accounts in my systems, limiting it’s privileges substantially.   About 9 weeks ago, I noticed my Permissions were being taken away whilst logged in as Administrator, and I was unable to wrestle them back from Trusted Installer, who took control of all Audit and Special permissions, basically taking Full Control and removing my access. I was unable to delete some files, download others, and execute some applications (mostly AV programs). A flash Gmer scan showed up a rootkit:
---- Services - GMER 1.0.15 ----

Service C:WindowsservicingTrustedInstaller.exe (*** hidden *** ) 

That was 9 weeks ago. 

From that point, I started seeing new symtoms every time I had to format and reinstall; which was often. A number of times, Hotfixes were deployed despite Windows Update being deactivated; as soon as I brought the system online - one example:
http://i.imgur.com/Lm6uo.png

Confused, I checked Event log and saw the Hotfix had been installed by a command: 
http://i.imgur.com/kMPmj.png

I Googled the command and only a handful of hits, all referencingForefront Endpoint Protection, which I guess was remotely deploying onto my system. My systems are now all mostly kaput, having been very well protected...from me. 

I have mountains of data but I don't have the requisite skills / knowledge to secure my systems (I'm about to buy new ones, but not until I can figure out how to secure them). 

I have cbs.log files that are just...I can't make sense of them, one example: Yesterday, a MSSE update downloaded by MSSE suddenly appeared in Windows Update 6 hrs later as an optional update. I downloaded and installed it, the entire process took under a minute. I checked cbs.log and almost fell off my chair. I think 7100 cbs.log entries in 41 seconds. But I don't know what they're telling me. 

In my cbs.log files, I see client initiated sessions by DISM, Package Manager Provider, Software Explorer and various things which all seem to suggest unattended installations. 

If I run sfc /scannow it finds a lot of corrupted files and replaces them. If I run sfc /verifyonly it finds a lot of corrupted files and replaces them. I found that pretty surprising. I don't know if SFP or WFP are the 'enemy' or an 'ally'; but they're working against each other, with WFP silently replacing all the files replaced by sfc /scannow. And it goes around in circles, like that.

I just ran sfc /scannow to create some output. 3253 lines from a single sfc /scannow command; the first 400 of which are here: http://codepad.org/V3gFV7Z0 (I can upload the entire logs to Google Docs for download if that will assist?) 

I'm rather annoyed at myself, in hindsight, for wasting my time on malware forums. I should have realised months ago the malware (of which there is plenty) is merely a side-effect of the real issue; which I think basically boils down to BUILTIN Administrator being relegated and severely limited (services greyed out, permission denied messages, etc) 

Thanks in advance for your expertise; and please let me know if there's anything at all I can provide (installation logs, or screenshots or anything) that might assist. cheers!


Software/Hardware used:
Windows 7 Ultimate

Answer Wiki

Thanks. We'll let you know when a new response is added.

I have noticed that, on the Technet Windows server forums. It’s incredibly bizarre; entire threads of people who are writing English, but it’s ad hoc cut pastes or something…it’s fascinating, I don’t really get it though…

Meanwhile my BUILTIN Adminstrator is as useless as ever. My hardware I/O date is hijacked now. I think it’s time to light a bonfire and start fresh; which I’d be okay with, if I was sure I would be…

<img src=”http://i.imgur.com/wnrNm.png” alt=””Administrators have unrestricted access”, say Microsoft. Um. no. ” />

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Subhendu Sen
    As starting with Vista, there is not necessary, to obey the old advices which come from earlier version of Windows. MS now delivers a product (Windows 7 / 2008) that r significantly more secure than earlier versions. As did past, it is not necessary to dnld "NSA security" templates / modify the system in a way to be fairly secured from scratch. As I read ur full thread, and if I am not wrong, ur basic motto to secure the system..... U have to enable "BitLocker", is a good feature, that is used to encrypt any volume on HDD including boot, system, & even removable media, like usb. It will not allow anybody to access files until & unless enter the correct password. U may use user account control / UAC as MS made so many improvements, depending on type of the user as Admin / standard user. There is a UAC slider bar to allow admin / normal users to adjust UAC security level. After installing all SW (as u requirements) adjust UAC slider bar to "Always notify," and it is the most secure setting Win 7 has default web browser called IE8. When u r using IE8, make sure that SmartScreen Filter option is enabled Always prepare for the worst thing, i.e. system crash / unexpected handle, errors, so, navigate to control panel > system and security > backup and restore Always enable "Automatic Updates from Microsoft". It helps to enhance win 7's performance as well as updates it against all the latest threats and loopholes Now, about the confusion of "MSSE"..... If u do not set the update via Windows Update, then MSSE will still download and install it when it checks for updates on its own. I am not sure, but guessing that the possible reason is behind of the problem is that there have conflicting security software installed either fully / partially. First, remove all other security software from ur pc and enable auto update.
    29,210 pointsBadges:
    report
  • Goscuter1
    it is not necessary to dnld “NSA security” templates / modify the system in a way to be fairly secured from scratch. Actually it is, otherwise MSSE wouldn't a) be useless, and patched as easy as a yawn; and b) it would be the first 'hotfix' off the rank. But Microsoft's corruption is not the scope of this thread. U have to enable “BitLocker”, is a good feature, that is used to encrypt any volume on HDD including boot, system, & even removable media, like usb. It will not allow anybody to access files until & unless enter the correct password. No that's incorrect. Bitlocker is a disaster, and it's functionality is limited to worthlessness by virtue of the fact that when you're logged in, your hard drive is opened up and exposed. It's a good tool if you're worried about your hard drive getting physically stolen. But then, a safe would be safer. I've lost two hard drives to Bitlocker clashing with the Dell TPM. I won't be striking out. U may use user account control / UAC as MS made so many improvements, depending on type of the user as Admin / standard user. There is a UAC slider bar to allow admin / normal users to adjust UAC security level. After installing all SW (as u requirements) adjust UAC slider bar to “Always notify,” and it is the most secure setting We're talking about something maybe 18 levels of sophistication above a sliding UAC bar. I'm being attacked via silent remote code deployment. i.e. I'm not the Administrator of my own systems; as I stated above. The hackers are my System Administrators. Win 7 has default web browser called IE8. When u r using IE8, make sure that SmartScreen Filter option is enabled Pretty sure we're up to IE10 now. But thanks. Always prepare for the worst thing, i.e. system crash / unexpected handle, errors, so, navigate to control panel > system and security > backup and restore One of the vulnerabilities is System Restore. The corrupted files are pulled from the System Restore repositories. Always enable “Automatic Updates from Microsoft”. It helps to enhance win 7’s performance as well as updates it against all the latest threats and loopholes Did you read any of my post? Now, about the confusion of “MSSE”….. If u do not set the update via Windows Update, then MSSE will still download and install it when it checks for updates on its own. I am not sure, but guessing that the possible reason is behind of the problem is that there have conflicting security software installed either fully / partially. First, remove all other security software from ur pc and enable auto update. MSSE is patched by these guys. We're talking about chalk and cheese here. Is there any server administrators who are proficient in DISM and endpoint deployment that can help me? please?
    30 pointsBadges:
    report
  • Subhendu Sen
    :)
    29,210 pointsBadges:
    report
  • carlosdl
    Goscuter1, don't blame Rechil. Most likely, he was only copy-pasting someone else's words. :D
    69,920 pointsBadges:
    report
  • hayw0027
    Awesome, now I know.
    45 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following