• ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Windows update impacting certain printer icons and names. Microsoft is working on a solution.
    Click here to learn more
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
We have new content about Hotkey issue, Click here to check it out!
HP Recommended

RE: Windows 7_Cyberattack Vulnerability Exploited

 

Using a z420 (Xeon E5-1650 v2 /64GB / GTX 1060 / Samsung 860 EVO 500GB + HGST 7K6000 4TB / HP OEM Windows 7 Pro'l64-bit), last Friday using the Chrome browser- which will not allow many sites' access with a VPN (PIA) running, resulted in a serious cyberattack, resulting in necessitating a complete restoration of C:/ and the changing of every password.

 

The attack was quite clever in that it was disguised as an MS OS update.  When shutting the system down, the familiar message to the effect that "Windows is installing updates, do not turn off the computer".  It took a moment to process the conflict with the fact that Windows 7 updates- which were mostly security related toward the end of support, had been ended on January 14, 2020,  meaning that this was an exploit, possibly phishing or ransomware.  However, the surprise of this delayed the reasoning and the cold shutdown at the power switch for probably two to three minutes.

 

The damage was done however and upon restart, Windows would not start, only displaying the "configuring Windows updates" screen.  Attempt to start Windows in Safe Mode and etc. did not work, the startup would revert to the "configuring updates screen, appearing that it would never complete that process, possibly buying time, disguising phishing for passwords and data. 

 

 I have the z420_3 system image on an external HD (HP/HGST Enterprise 6TB) that is never run except during backup which could have used to restore the z420_3 drive by installing it in z620_2, but instead I simply cloned the z620_2 drive (HP Z Turbo Drive M.2 AHCI 256GB, as I had recently gone through that drive (CCleaner) and  multiple scans (Malwarebytes, AdwareCleaner).  As the BIOS and Windows version of z620_2 and z420_2 are identical, and the software I use allows installation on two systems as long as they are not used simultaneously, all the programs are activated and settings are correct. 

 

The cloning (187GB) from the fast M.2 ZTurbo Drive to the reasonably fast Samsung 860 EVO connected to an internal SATA 3.0 port was quite fast, perhaps 20-25 minutes. And the Passmark PerformanceTest results demonstrated a reasonable improvement. This test was run at 4.2GHz on all cores, but the test conditions were not optimized as this system is usually run all-core at 4.3GHz:

 

z420_2 PT 9.0 Test_ @ 4.2GHz

 

z420_3_4.3GHz_4K_5586_5.31.20.jpg

While the rating is  off that system's peak of 5644 (see peak results below), the Disk Mark is highest result for that drive, perhaps reflecting the recent maintenance effort.

 

As I was concerned that the exploit was phishing, I changed all passwords, and this was far more time-consuming than the system recovery.

 

This occurred despite using an VPN (PIA), Firefox running unlogged DuckDuckGo searches and beginning today, using the Tor Browser. 

 

I had hoped that continuing use of Windows 7 would be possible, thereby saving the considerable expense of replacing programs and hardware that will not run on Windows 10, but half an hour in the hard-tracking Chrome and shut-down VPN environment was the first successful attack since 2010.  I strongly recommend anyone still using Windows 7 to use a VPN  (recommended: PIA or Nord), the Tor Browserand suggest considering Proton Mail which is encrypted and to end for anything with financial or proprietary content.

 

My recent use of Windows 10 on the HP ZBook 17 G2, however is still not encouraging the change. In my view, the reason Win 10 was initially given away is probably that it is hard-wired for tracking / surveillance and the resulting data must be sufficiently profitable. Particularly concerning is  Microsoft Edge, which as far as I know, can not be removed and not modified in important privacy categories.  An example of this situation; when setting up, I turned off at least seven or eight modes of the ZBook 17 G2 OS reporting to MS , but had used the system for at least ten hours before learning that the camera and microphone were by default always on.  

 

BambiBoomZ

 

HP z620_2 (2017) (R7) > Xeon E5-1680 v2 (8C@ 4.3GHz) / z420 Liquid Cooling / 64GB (HP/Samsung 8X 8GB DDR3-1866 ECC registered) / Quadro P2000 5GB _ GTX 1070 Ti 8GB / HP Z Turbo Drive M.2 256GB AHCI + Samsung 970 EVO M.2 NVMe 500GB + HGST 7K6000 4TB + HP/HGST Enterprise 6TB /   Windows 7 Prof.’l 64-bit  (HP OEM) [ Passmark Rating = 6280 / CPU rating = 17178 / 2D = 819 / 3D= 12629 / Mem = 3002 / Disk = 13751 / Single Thread Mark = 2368 [10.23.18]

HP z420_3: (2015) (R11) Xeon E5-1650 v2 (6C@ 4.3GHz) / z420 Liquid cooling / 32GB (HP/Samsung 4X 8GB DDR3-1866 ECC registered) / EVGA SSC GTX 1060 6GB/ Samsung 860 EVO 500GB + HGST 4TB / 600W PSU > Windows 7 Professional 64-bit (HP OEM ) [Passmark System Rating: = 5644 / CPU = 15293 / 2D = 847 / 3D = 10953 / Mem = 2997 Disk = 4858 /Single Thread Mark = 2384 [6.27.19]

 

HP ZBook 17 G2: (2015 ) i7-4940MX Extreme (4C@ 3.1/ 4.0GHz) / 32GB / Quadro K3100M 4GB / Kingston 480GB SATA SSD / 17.3" LCD 1920 X1080 panel > HP docking station> video DP to HP 2711x 27" LCD + Dell 17" (2007!) [Passmark System Rating: = 3980 / CPU = 10140 / 2D = 618 / 3D = 2779 / Mem = 2559 Disk = 4662 / Single Thread Mark = 2387 [1.3.20]

5 REPLIES 5
HP Recommended

i run a VMware win 7 x64 Os and my last update check was 4/302020 i just manually reran the MS win 7 updater (6/2/2020) and received 1 MS update which was the "windows Malicious software Update Tool x64" kb890830 which is a definition update to the ms virus checker included with win 7, this update would have been automatically queued for install if i had simply waited while connected to the internet

 

so your update may very well have been a valid ms update, and it may have been your cold shutdown during the ms update that borked your win 7 install

HP Recommended

Hello
Indeed, the reasoning here seems a little quick!
If you stop an update, by suddenly shutting down a computer, the result is often catastrophic
So I also have a doubt!
I still use windows 7 and I have not yet been a victim of this kind of virus!

 

--------------------------------------------- Signature ---------------------------------------------
was this reply helpful , or just say thank you ? Click on the yes button

Please remember to mark the answers this can help other users
please click on the accept as solution button if message provided an answer to the problem




Desktop-Knowledge-Base
Windows 11 22h2 inside , user

------------------------------------------------------------------------------------------------------------
HP Recommended
this is why i pointed out a alternative to a possible virus attack, however if in doubt pulling the plug is something i might do as i have no problems doing a restore or os reinstall.... the original poster based on his previous posts is also comfortable doing a reinstall if necessary 
 
i just wanted beginners not to believe that the win 7 virus updates ms posts  are all virus attacks
HP Recommended

DGroves,

 

I appreciate the reply.  However, when this update was loading, the appearance did not look reasonable; it was low resolution, the rotating blue ball was disproportionately large, MS updates have always been on Tuesdays or Thursdays at 1:20-2AM and not Fridays at 11PM, and that update was never received by z620_2 -a nearly identical system.  Z420_3 had been fully shut down several times that day perhaps only about three hours earlier. My settings too included an options panel. so listings were "Important" and others "optional" from which I selected.  Security related updates were always installed.

 

Checking the update history, Windows Malicious software Update Tool x64 KB890830 was successfully installed on z620_2 on 5.14.20 and there are no pending updates (except 5 "Optional", none newer than 2.12.20.  That listing is however for z620_3 as the z420_3 list was overwritten on the system recovery.

 

Given the earlier malware notice referring to Chrome, the unconventional appearance, day of the week, record of the update to which you refer having been installed on 5.14. and choosing to err on the safe side, The decision is still seems the proper one. If that were indeed a genuine MS update,  I would appreciate hearing from other users that had an update on 5.29.20. If it was real, I can't have been the only recipient.

 

I hope you're correct and it was nothing. Anyway, now I have clone of my main system in case something happens to it, or it's tied up with renderings, I can stay at work.  Last week I ran about 30 large renderings (VRay/CPU) of 260MB files and each of those on took close to an hour on z620_2. I might have queued those overnight, but each new renderning was based on the changes to the 3D model based on results of the previous iteration.

 

And, Promethee, thank you also.  It was indeed a hasty decision, but as I thought it even possible that either my passwords and data were stolen or my files were being encrypted, the decision could not wait.

 

I'm writing MS for a conclusive answer.

 

BambiBoomZ

HP Recommended

Yes, I understand that this can be worrying.
But you know, in this case, you should not turn off the pc like that, you risk losing everything, and damaging the computer.
Sometimes this is not very risky, but in rare cases, a component could be damaged.
Since there was talk of an update, the better and to disconnect the computer from the internet, there is no risk of data being stolen, as long as the net is not on the way!
Rather than switching off at the button, opening the task manager, and trying to close the process on the way, moreover, this is visible if it is windows ubdate which is launched, normally!
Try to shut down the computer normally
you can then download an antivirus utility which can be launched before windows in order to analyze the computer

--------------------------------------------- Signature ---------------------------------------------
was this reply helpful , or just say thank you ? Click on the yes button

Please remember to mark the answers this can help other users
please click on the accept as solution button if message provided an answer to the problem




Desktop-Knowledge-Base
Windows 11 22h2 inside , user

------------------------------------------------------------------------------------------------------------
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.