Classic Shell: Forum

In early August (specifically only on one day, Aug 2nd, 2016) and only for a few hours, the download mirror which a third party website, FossHub, was hosting for Classic Shell version 4.3.0 got hacked by some hackers calling themselves Peggle Crew. They did not tamper with the Classic Shell files, instead they managed to replace the installer file with another fake installer containing a trojan that when launched, corrupts the MBR (Master Boot Record) of the PC. This renders the computer unbootable.

As soon as the hack was detected, the download link on the main site http://www.classicshell.net was fixed to link to a clean installer file. Classic Shell became once again safe to download immediately after the hack was detected within a few hours and the fake installer replaced with a genuine one.

Those of who who pay attention to the UAC prompt in Windows should not have gotten infected because the authentic installer is digitally signed and shows a green UAC prompt along with the developer's name, whereas the fake one shows a bright yellow UAC prompt indicating a warning. The infection can only happen if you say Yes to the UAC prompt of the fake installer, not if you doubled click it but said No to the UAC prompt.

Here is a FAQ for those of you whose PC got affected by malware when they accidentally downloaded and ran the hacked installer on August 2nd, 2016. Anyone else downloading the current installer after August 2 or now should rest assured that it is clean and free of malware. You can verify this by checking the digital signature of the installer's properties.

How do I know I have downloaded the correct file?
There are few things to watch for:

• Check the file properties in Explorer – right-click -> Properties. Look for a tab named “Digital Signatures”. It should list “Ivaylo Beltchev” as the signer. The hacked file doesn’t even display the “Digital Signatures” tab.
• When you run the real installer it will not immediately ask you for admin permissions. Only after you finish selecting your settings you will be asked. The hacked file asks right away.
• The prompt for permissions will be blue for the real file and say "Verified publisher: Ivaylo Beltchev". The fake file will show a yellow prompt and say "Publisher: Unknown".
• The fake file will of course not install Classic Shell. It will just flicker once and exit. So if you managed to install Classic Shell 4.3.0, then you had the right file and you are safe

What do I do if I launched the fake file and got infected?
If you haven’t rebooted yet, save your work and back up your important files. If things go very wrong you may have to reinstall Windows and will lose your files.
Also make sure you have a working Windows 10 disk before rebooting. You can make one using the instructions here: https://www.microsoft.com/en-us/softwar ... /windows10
To repair the MBR, follow the instructions here:
viewtopic.php?f=12&t=6440
Also in video form:
https://www.youtube.com/watch?v=DD9CvHVU7B4

There are also few forum threads with useful information:
viewtopic.php?f=12&t=6434
viewtopic.php?f=12&t=6437

Reddit thread about the hack and possible fixes:
https://www.reddit.com/r/pcmasterrace/c ... shell_read

Once again, we assure you that except for a few hours on August 2nd, 2016 when Classic Shell's installer was hacked, Classic Shell is completely safe to use again.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

Hi, I am on business laptop and very precious data for us.

In morning, I got update option and I did so.

But I don't know, is it fake one or original one ?

but I have check in folder and than property > digital signature > Ivaylo Beltchev

now I am in dobt.

am I safe now ? or still need anything to do it ?

I have more than 2 TB data on it.

If the installer properties has a tab called "Digital signatures" and if after clicking "Details", you see that the digital signature is OK and the signer is Ivaylo Beltchev, then it is the genuine installer and is safe to run:

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

Please check below file.

Why would anyone do this? There's no point in messing with some random person's PC, it's just evil.

I downloaded literally right after this was resolved and had a pretty huge panic attack when I learned.

@ankupan, download the installer from http://www.classicshell.net/downloads/latest. That is clean and safe. Install it on top of your version which is just an older one with an expired certificate.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

Hi guys, quick question.. my boot drive seems to be ok, but I seem to have lost my secondary drive, which was partitioned into E and F. Is this possible ? Btw, shows up as unallocated in Computer Management

I have a clean Windows 10 installation with UEFI/GPT partitions, and my system was not able to boot. It simply showed no entry in the bios boot menu. I'm sure it's UEFI/GPT. The bios boot menu says it is UEFI what I'm booting, and diskpart list disk says it's GPT.

Windows recovery was not able to fix the boot problem, so I tried the integrated system image restore function of Windows 10 by booting from my Windows 10 install USB stick. The USB stick was created by the Microsoft Media Creation tool. The system image was created by me before the update with the "Backup and Restore (Windows 7)" tool from within Windows.

It worked this way. I don't know what else that malware overwrote to ruin the system, so this was the most safe solution for me. Fortunately, I had that system image - I created it right before Windows 10 started to download the Anniversary update that evening.

For anyone who is not able to boot their PC or has lost secondary drive partitions, if the instructions by Ivo: viewtopic.php?f=12&t=6440 which are pretty simple to restore your MBR do not work for some reason, then with access to another clean computer, you could try creating a bootable USB or CD from any of the Live CD images with Testdisk: http://www.cgsecurity.org/wiki/TestDisk_Livecd . One of our forum members reported that using Testdisk they could fix the partition table on the compromised drive and restore the partition table completely with no issues. Do a quick scan using Testdisk and then add back the partition it finds and write it to disk. You also must rewrite the drive's infected MBR code with the Windows MBR code: https://tweakhound.com/2012/11/13/how-t ... ootloader/

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

FYI the readme file for 4.3.0 says 4.2.5.

For me it says Version 4.3.0 –general release. Maybe the installer didn't update your files correctly.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

I just installed on a second computer and it shows the correct readme file. Not a big deal but strange.

The hack is apparently not fixed or you were hacked again. I downloaded your update on August 3rd, approximately 11:00 AM Moutain time (US). I experienced the problems related below and the recommended repair worked after a couple of additional reboots. No messages on screen--just a blank screen with the cursor showing before repair.

Where exactly did you download it from? The link on the main page points to Mediafire, and I just checked it still works.
If you look at the file properties, do you see a "Digital Signatures" tab?

This is what happened to me. That drive probably had an unused MBR. My system continued to boot but a second drive was "unallocated". It can be repaired but the Windows troubleshooting command-line method (bootrec /fixmbr) will not do it. It only works on your boot disk. I tried it and it wiped out my Linux boot menu, so beware.

I used the open source tool TestDisk to fix my partition but it is not for the faint of heart. I tried other tools but they did not correctly handle my 3TB drive or they cost too much or they did not address the actual problem. I'm sorry I can't recommend an easy fix but there may be some listed in these forums or elsewhere.

Your files should be safe but be careful with the tools you use. I used MiniTool Partition Wizard and it malfunctioned. By all appearances it was going to fix the problem but when the fix was applied, it did not correctly handle my 3TB drive. I was able to recover using TestDisk.

One final note: I ran CHKDSK on the drive after I got it working again. It reported "corrupt basic file structure" for 179 files. The files appeared to be perfectly usable and showed no problems. When CHKDSK "repaired" them, all their data was erased. Be careful. If you see these kinds of errors reported, try to backup the affected files before attempting to repair them. If you can, I advise transferring all of your files to a new drive and then reformatting your damaged disk to clear out any remaining weirdness.

Good luck.

Audacity got hit too, by the same people. According to the tweets from the people who claim responsibility for it, it was done to demonstrate Fosshub's weak security.

Is there any way to find out if the MBR is toast or not without restarting? I'm 99% sure I wasn't hit, but due to being slightly paranoid, it'd be nice to have some solid proof...is that possible? ._.

EDIT: I don't mean the installer, I mean what I've actually installed. I...may or may not have frantically deleted the installer as soon as I read the OP.

Also, what exactly is being done to prevent this from happening again? ._._._.

_________________
TILES WOOOOOO

@Splitwirez

If Windows boots then nothing happened to you...if don't need to be afraid for restarting fixing it is pretty easy. (and I wouldn't wonder if there would be an instant BSOD after the MBR is overwritten but I'm not sure of that)

And if you want no risk to get modified software: check if the app is signed, if available on the official website calculate and compare the md5 or sha hashes (this won't help e.g. on Fosshub if the hackers also changed those values on Fosshub) and check e.g. the size of the programm, if it is ridicilous small (< 1mb) then it could be virus in stead of a programm like classic shell with lots of features.

What I mean is I have no idea if I ran the installer I had, I don't have the installer, and I'm not too keen on restarting to find out. Can I somehow examine the intactness of the MBR itself?

_________________
TILES WOOOOOO

no it doesn't instantly BSOD when you delete/change the MBR; it waits till you restart your pc...

as far as knowing if you were hit before restarting. you might be able to find out by running msconfig (just type msconfig into the start menu)
and checking the boot tab. I would Imagine that your OS wouldnt be listed there with a broken MBR; though I havn't confirmed

I gathered that much.


Well my OS does show up...

_________________
TILES WOOOOOO

@Splitwirez, while there is no quick way to see if the MBR is infected, you can open boot.wim from \sources folder of your Windows Setup disk and extract bootrec.exe from C:\Windows\system32 inside boot.wim to your current Windows installation. Then run bootrec.exe /fixmbr from within Windows.

The way to avoid getting infected from such a hack is to pay attention to the UAC prompt shown by the installer and make sure it's signed by Ivo.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

For any malware to be detected, its signature has to be present in the AV vendor's app. This malware was new. AVG, Kaspersky and some other AV vendor detected it as a generic threat. And Windows UAC prompt showed it with a yellow band and as coming from an unknown publisher.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

...k...I didn't quite follow that...


Problem is, I don't even remember if I ran the installer, nevermind what the UAC prompt showed. I checked the signature after reading the OP and it showed that it was legit...but I'm still feeling really uneasy about this...I think I'll just skip this update and wait for 4.3.1 or whatever ;~;


Also,

_________________
TILES WOOOOOO

Well, no, you can't skip the update if you already ran the installer...
If you are infected, the next reboot will fail. If you are not that confident everything is OK, I would back up the important files to an external drive, cloud, or whatever, and then do a test restart.

I have not done anything to prevent further attacks. The compromised FossHub site is down, and as far as I can tell Mediafire hasn't been hacked. Since I don't host the files on my home machine (it would require terabytes of bandwidth each month), there is very little I can do to control the security of the download service.

Do you have a checksum for the 4.3.0 release?

Classic Shell 4.3.0's installer has:
CRC32: A63C4C3F
MD5: E10881B65C27C6E09E5A33CD8BCD99C6
SHA-1: A6B06D07FE3B1A7204B1B62C67FBF3C602385364

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.

Just an idea, while it is good to have the warning on the main website I feel like it would make a crap ton more sense for it to be moved from the "What is Classic Shell?" section to the "News" section to the right. Where it is currently is very crowded with other information and it just doesn't seem that important.

It also makes sense because this is a newsworthy event!

_________________
Windows 10 Pro x64

I'm pretty sure I didn't run the installer, and I was implying that if I did, I don't plan to run any installer for this update again ._.

Also I fished the installer out of my recycle bin to check the signature. This is what it said:

is that okay? And should I restart just to be sure?


...switching hosts sure sounds like action to prevent future problems to me... .-.

_________________
TILES WOOOOOO

Yes, your file is fine, and I recommend you install it. There are some fixes and new skin features.

As for service providers, there aren't that many that offer multi-terabyte bandwidth at a price I can afford. Mediafire is still pricy, but not unreasonably so. FossHub is free but shows one ad per download. Everything else is either prohibitively expensive or has tons of ads where you can easily click on the wrong thing and get an extra browser toolbar or two.

Wow, m*therf*ckers... Why on hell would some random guys do that?

I installed CS about 2-3 days ago, but I downloaded it from here, the main page, and I didn't got this malware thing.

By the way, you should edit the main message. Hackers are the GOOD guys, Cyber Criminals are the BAD guys.
Hackers = Police
Cyber Criminals = Robbers

So saying "a hacker did this bad thing" is a contradiction. A cyber criminal did.

...err...yeah, if I can get myself to do so without worrying like crazy afterwards. Honestly I trust everything you say, but that doesn't make a darned bit of difference to how scared I was and still am.



...what about Mega? AFAIK they don't show any ads and are pretty much all about security or encryption or whatever...then again I've yet to see anything about pricing, so idk .-.

_________________
TILES WOOOOOO

Last time I checked Mega they had a relatively low monthly bandwidth.

Do the math - the installer is 7MB. 1 million downloads per month equals 7TB/month. And Classic Shell easily gets more than 1 million/month, especially following a new release.

Okay so, for anyone who needs some extra confidence, I got hit by it. I was stupid and didn't stop when the digital signature wasn't there. Though I did acknowledge it by thinking "wasn't this signed last time I updated? Oh well."
Unfortunately for me, something else happened when I got infected. Avast, my antivirus, caused me to bluescreen due to an incompatibility with the Anniversary update on newer Intel CPUs. So even when I fixed my master boot record, I was stuck in a boot loop and had no idea what to do.

But the only reason I discovered the boot loop is because I fixed my master boot record, and it's really easy.
I simply borrowed a family member's laptop to make myself a boot disk (just download the Windows ISO of your system and slap it on a disk or USB drive), used it to get into the recovery environment for Windows, opened the command prompt, and used the command "bootec /fixmbr". That got me to the windows loading screen, which gave me a BSOD every time because of Avast.

All in all, don't panic. The boot record is really easy to fix with little technical knowledge, and none of your personal files will be tampered with.

Get your terminology right. "hacker" is a generic term for people that modify software typically without acces to the source code.

Black Hat Hackers = Bad Guys
White Hat Hackers = Good Guys

_________________
Windows 10 Pro x64

Was just about to comment on this

Though 'white hat' hackers are 'good' most of what they do is still illegal.. and obviously subjectively good.... Its even possible that the recent hackers that hacked classic shell see themselves as white-hats because they supposedly did it to draw attention to a major hole in Fosshubs security. Yes rendering thousands of computers Inoperable is bad, but the fix is fairly simple; and causing a splash is sometimes the only way to get noticed. Also it could have been way worse.. (like wiping the whole hard drive, or stealthily stealing credit-card info)

Yeah, I know exactly what a hacker is. And a hacker is "good" because he modifies things in order to learn or just for fun, legal or illegal. A hacker never tries to mess other people computer, a hacker never tries to do evil things.

So, hacker = police, and cyber criminal = robber.

You could say "but a police can be corrupted and be a bad guy". Yeah, you're right, that's your "black hat hacker", but you know, that¡s atypical, and normally police do good things.

This attack was intended to damage computer's all over the world, so a hacker does not fit in that category.

Personally I would define a hacker as: Anyone who changes or modifies anything through un-conventional means, often to gain an un-anticipated result

Webster however defines a hacker as : a person who secretly gets access to a computer system in order to get information, cause damage, etc. : a person who hacks into a computer system
(Really a stupid, and simplified answer, but it definitely has a negative connotation)


Because the definition of hacker is so hard to pin down.. lets just agree to disagree

Well, that's one horrible definition, which is totally wrong.

If you ask any hacker out there, they will always say "we're sick of explaining that hackers are just normal people who just mess around devices to create or invent something new, add features it didn't have, do things the manufacturer didn't want us to do, many times kind of "illegal" because they break some terms or whatever. But the ultimate goal is just adding things for fun and use devices in a way they weren't intended to be used. For example, a hacker would modify the Wii so it can read PS3 games, or modify a PS4 so it can be used as a toaster, or add a WiFi card to a PS1 so you can watch YouTube through it. A hacker would never try to hurt anyone's devices or steal your information, just like a policeman would never rob a bank.

To sum up, hacker can't have any negative connotation, as police can't have any negative connotation by definition. Sure a police can commit a crime or a hacker can commit a cyber attack like this one, but then automatically the hacker wouldn't be considered a hacker anymore, but a cyber criminal.

It's like saying an innocent man killed a kid last night. That's exactly what we are saying. The time you kill someone, you automatically stop being innocent and you become a criminal.

@Gaurav




Might I suggest adding this information to future release announcements? It's standard practice for many open-source projects.

I will need to check as I did download a copy recently on a machine and not sure which one it was..

I had problems yesterday (August 22, 2016). I kept getting a pop up saying I needed to update Classic Shell, and I will admit we were driving and I wasn't paying alot of attention, was just trying to get some work done (I was a passenger), so clicked yet, then got stopped because an admin had to approve the upgrade. It didn't look like either of the examples shown from the original problem, but after 3 reboots yesterday I suddenly had no internet, airplane mode was stuck in on. I THINK this had something to do with the stupid Windows 10 Anniversary update and possibly Classic Shell being hacked as well, but in the end I had to restore my software to it's original factory standards and am now downloading all my software again. Just wanted to mention this in case anyone else had something similar going on now.

I just had an issue of a similar nature (8-24-16) where the recent windows 10 update removed the software without any warning due to some 'incompatibility'. I double-checked the file signature from the download as recommended above and forced the install (windows 10 start menu destroys my workflow, it's just so distracting and obnoxious to use) and it's working just fine on a Dell XPS 13. No issues so far.

Windows 10 Anniversary Update and future builds may remove Classic Shell. This is not related to the hack. If Windows 10 removes it, you can reinstall a compatible version.

_________________
Links to some general topics:

● Compare Start Menus

● Read the Search box usage guide.

I am a Windows enthusiast and did Classic Shell's testing and usability/UX feedback.