Hacker uses hyper vdisks on isos…long story.

Do a scan in safe mode so there is nowhere for anything to hide

NavyLCDR said:

I don't think we are going to know anything about this alleged 3 MB drive that can't be deleted until we see evidence of it with a screenshot of disk management or the results of zbook's code in post #14. I don't even know if it is possible to create a drive only 3 MB in size. And the claim is that it contains Windows PE and sterelec - post #10. Well, I can find a reference to strelec's utility drive on MajorGeeks - but as with any Windows PE, it is over 4 GB. It's impossible to run Windows PE in 3 MB.

Click to expand...

I think we are flagellating a dead equine with this whole thread as none of us have any idea what OP is talking about, and we are just guessing.

Incidentally, I have just created a 3 MB vhd out of interest, but it will be of very little use (may be store contents of 2x1.4 MB floppy disks LOL).

It just doesn't add up to me

NavyLCDR said:

alleged 3 MB drive

Click to expand...

I questioned that very thing myself when I read it, but gave the benefit of the doubt that maybe he was confused and actually meant 3 gb.That aside, I know hackers are smart and people are gullible, but this entire thread has left more questions than answers in my mind since we have no concrete series of events as to how it all transpired in the first place. It's hard for people to admit they fall for such scams so maybe that is why.

We never saw any screenshots. There had to be some app to manage the VM (unless the partition with Strelec on it wasn't a VM at all but just mimicked one.) If that was the case wouldn't the boot order have had to be changed to boot from that partition? Other than some sophisticated script file at boot I fail to understand how his entire partitioning scheme was erased from within a VM, but I can understand how it could have happened at boot.

He said he "woke up to formatted hds because I made a change to his vdisk" which led me to believe he knew it was happening. I don't think we will ever know.

So, after some trial and error. I found a fix for my problem! I had to wipe every usb, by manually deleting the partitions and volumes. Then I wiped them with a low levelhddformatter, so those had to be cleaned, then I turned off all tpm module settings and all secure boot keys and settings, and put boot mode to legacy only, this is what apparently caused that vdisk to fail, it needed uefi settings to remain intact, I was then able to clean install windows 11, thank you all for the advice, I took it all in and came up with this solution, without someone mentioning the “delete volumes manually” I might not have tried it… trust me, no short cuts could have been taken here, you are all ACES in my book!

Well it was highly modified, he had stripped it down to the core components that it needed, the vdisk expands to 64 gb when settings all fall into place, which is how a hyper vdisk was made to work. I know y’all think I’m crazy, but it’s not paranoia when all your hard drives have been wiped and your product key had mysteriously turned into a enterprise key. The reason I knew he started with Sterlec iso, is it was labeled as a Win10Pe with the build that matched the sterlec build, a 2009 something or other, some weird ass hella modified windows 10 beta build.

This story is very confusing and overly mystified.

Basically what happened, if I understand you correctly:

- you got hacked and someone has access to your computer, means still unknown
- you have formatted all your storage devices (you even did low-level formatting which was unnecessary to be honest, a simply diskpart clean would have been sufficient since this is not a forensics expert you have on you, but someone remotely connecting)
- the attacker is using VHD images which you knew about but refused to delete it (I am still not sure why but doesn't matter)
- you want to lock out the attacker

What you need to do:
1. Make sure you have formatted every single storage device you have, this includes deleting those VHDs. Of course, first back up any important data, but not executable files. They might be compromised.
2. Reinstall a clean copy of Windows. Since you posted on the Windows 11 forum, I assume this will be Windows 11.
Since you're still unsure about the point of entry, you should also erase your USB installer stick and re-download a new, clean copy of Windows 11 from Microsoft, then copy it to your installer stick using Rufus.
3. If you have other computers in your network that could have been affected, you should also repeat the same procedure on them.
4. If you have a vulnerable router you might also want to re-flash the latest firmware on it and erase all settings. Please note this does NOT mean hitting the reset button and saying you're done - you are not. IF it is a vulnerable firmware then he will just hack it again, and there are chances he can tunnel himself into your internal network using that router, then start exploiting your PC from the network.
5. Change all of your passwords, everywhere, most importantly on your cloud storage. (By the way it is wise that you use it)

What you don't need to do:
- believe any theories or myths, including making up ones (it doesn't help. You have a lot of trained professional here, willing to help you, just give them the facts and they will figure it out. No need to make guesses for them)
- use any modified builds of Windows 10, Windows PE, Windows RE


Oh and most importantly:
- you need to forget this sterlec whatever WinPE environment permamently. It may or may not be malicious. Even if it is clean, this is STILL a huge attack vector that you want to AVOID. You should only use the official Windows installer media and ones that you create yourself.

If you need more capabilities than what Windows 10/11 installation media (Windows PE 10.0 / Windows RE) can provide you, then ask away here. The folks here will be able to help you with it, without the need of such tools like this sterlec whatever thing.

Good luck!

Best solution then is to Bin the drive. I would also re-iterate never rely on any A/V Virus cleansing software to be used and run on a machine that's already infected -- as I said that's akin to a pilot deliberately taking a seriously damaged plane to the air and repairing it IN THE AIR !!!. I wouldn't fly with that sort of Pilot -- would any of you !!!

If you must use those wretched A/V cleansing programs - take the drive out of the infected machine, connect to a well protected alternate machine and then run that A/V stuff.

(Note also as storage devices are so cheap just binning the drive and fitting a new one would be a far cheaper solution than paying for an "expensive consultant" to fix the machine -- he'd (or she'd) probably just replace the drive anyway). If it were me that's what I'd do and charge maybe 3X what the new drive would cost !!!!!

Of course you could also send the drive to the FBI / CIA / NSA and say you think there might be "pending terrorist details" on it and see the whole USA infrastructure collapse !!!

Cheers
jimbo

Ish4dow you basically got it right, it was the result of a cheap trick that only works with all elements needed to sustain it. Also you guys are all correct, I screwed up first, what first triggered it was random moniter issues, then all the sudden I’m booting in vga not off my video card. Which of course began a rabbit hole we know as the future of computing, the true thing, a cloud only computer.

@Corbindallas Good to know you are back in business. Everyone here is always ready to jump in with solutions to whatever problems you have, but we are at a disadvantage in that we can't see what is going on. If you need help again, here are some suggestions for any future posts.
Post in chronological order the series of events that led up to the problem. Every detail is important. That's the only way we can get a clear picture of what you are dealing with without us having to guess. Screenshots are very important. If you're computer is out of commission, use your phone & snap a photo of your screen. If you can't insert a screenshot, you can always furnish cloud links to photos.

This particular case was definitely not the norm. Myself, I've never heard of this method of attack so your bad experience has been a learning experience for me. Now that it is all over, would you please tell us exactly how this hacker got into the computer. Did you click on a web link, email link, or attachment? Did you call a number that popped up on your screen or answer a phone call from someone wanting access to your computer? Did this person demand money from you?

If the latter is the case keep one thing in mind and share it with everyone you know. Microsoft will NEVER call you or ask you to call them. Neither will Google, any anti-virus company, Amazon, or any other major company. Any screen pop-up is a hacker. Any phone call is a hacker. NEVER, under any circumstances, give anyone you are not certain of remote access to your system.

If you yourself seek assistance from a company, make darn sure you reach that company through their official website. DO NOT just click on the first link in search results. 9 out of 10 times it will take you someplace you don't want to go and give you phone numbers you don't want to call.

If you ever do get a pop-up, shut your system down, disconnect from the internet, and then deal with the problem offline. In most cases, the message is erroneous and goes away at reboot. If it doesn't, there are numerous articles on the web how you should clean your system. The important thing is to NOT talk to the SOBs.

In one of my previous responses to this thread I mentioned changing your passwords. Be sure to do it.