infections which can survive a reinstall of Windows

Ghot · Mar 26, 2023

mackie said:
Stay well hydrated my friend. I've been there and a lack of hydration made things worse.

Fortunately, I have a bunch of.... THIS
It's powdered... one packet per 16.9 oz of water. I use 20 oz, water, scalding hot.

mackie · Mar 26, 2023

Ghot said:
Fortunately, I have a bunch of.... THIS
It's powdered... one packet per 16.9 oz of water. I use 20 oz, water, scalding hot.

Looks good…. Should help your internal Antivirus Defender system….. the medics call it the immune system.

glasskuter · Mar 26, 2023

mackie said:
For someone that does not run a dual boot system

I do not run a dual boot. A "live" distro is a Linux distribution that can be booted and run straight from removable storage media such as optical discs or USB flash drives, instead of being installed on and booted from a hard disk drive. I have Linux Mint Cinnamon on usb and boot to it from my f12 boot menu (with secure boot turned off), mainly for file recovery when a Windows system won't boot or deletion of stubborn files on a Windows partition. It doesn't care about permissions so files from a Windows drive can easily be accessed, deleted or copied. Having one available is as handy as buttons on a shirt.

I always shied away from Linux because it leaned so heavily on its command line. But anyone can use Ubuntu or Cinnamon as is for common stuff. It's really a quite beautiful and customizable OS and has proven to me that I do have options to Windows. Oh...and one can install it on just about any hardware.

hdmi · Mar 26, 2023

jimbo45 said:
So say this is at address 2000 (Hex) in the mobos BIOS. All that has in it is a tiny miniscule instruction in machine code is jump to another address which is another bit of machine code that says load code at another address address and start executing it. (Bootstrap process at address 0 -- Hardware --> to address1 to load code and execute at address 2 which is the BIOS menu etc and start executing). In the case of EFI computers the default EFI file will be in the BIOS'es CMOS (can be saved -- otherwise you'd need to use the computers Boot BIOS menu every time). If an attacker can get at that default EFI file then he / she's in "in business".. Not so Q.E.D !!!!!!!

UEFI - OSDev Wiki

wiki.osdev.org

On a side note, the vast majority of modern PCs don't actually even still use the battery backed memory (often referred to as CMOS) for anything besides the RTC register and a few other legacy functions, as instead they use Non Volatile (NV) memory to store the UEFI settings. As for the default EFI file, that one is stored on the EFI System Partition under the \EFI\Boot directory path, but the UEFI Boot Manager uses global variables that are stored in the NV, and so it also is possible to specify your own fallback bootloader in there.

The EFI System Partition and the Default Boot Behavior

A lot of the time, we talk about creating a partition to serve as the EFI System Partition. This partition is mandated by the UEFI specification for several tasks. Adam covered what’s going on at a relatively high level on his recent blog post, and you should read the whole thing: (from Adam...

blog.uncooperative.org

On another side note, you don't necessarily HAVE to use a live distro if you don't want, as rEFInd with iPXE chainloading and a custom script also still works. All you basically need to do is just let your custom script mount an iSCSI volume so that, next, it can use SFTP or similar to transfer whatever the ISO file you want on it, then let it use Ventoy to continue to boot straight into that one... and off you go.

mackie · Mar 26, 2023

glasskuter, Very good. Your post reminded me that I need to update my L Mint usb thumb drive with the latest version that just came out recently. I primarily keep that thumb drive in case I have to reinstall Mint. I can’t remember the last time I had to do that though. For that matter, the last time I did anything with Windows was when I cloned hdd to ssd. Anyway, if I get something strange going on with Windows on the pc, I’ll remember to boot up with the live drive and see how things go.

jimbo45 · Mar 26, 2023

glasskuter said:
I do not run a dual boot. A "live" distro is a Linux distribution that can be booted and run straight from removable storage media such as optical discs or USB flash drives, instead of being installed on and booted from a hard disk drive. I have Linux Mint Cinnamon on usb and boot to it from my f12 boot menu (with secure boot turned off), mainly for file recovery when a Windows system won't boot or deletion of stubborn files on a Windows partition. It doesn't care about permissions so files from a Windows drive can easily be accessed, deleted or copied. Having one available is as handy as buttons on a shirt.

I always shied away from Linux because it leaned so heavily on its command line. But anyone can use Ubuntu or Cinnamon as is for common stuff. It's really a quite beautiful and customizable OS and has proven to me that I do have options to Windows. Oh...and one can install it on just about any hardware.
View attachment 56410

On a basic laptop I use Arch Linux with the KDE desktop installed -- I like Arch Linux because you can install the base system with zero bloat (you have to run the install from the command line so it's a bit daunting for newbies - but not really too complex). Then install the basic KDE desktop - and then you've got the GUI -- and then add such apps as you want.

How to Install Arch Linux [Step by Step Guide]

Ready to get your hands dirty with the for-expert Linux distro? Here's a step by step guide to show you how to install Arch Linux.

itsfoss.com

Most "Live" distros if you install from them have zillions of apps included - most of which I dont want or need.

But once you do get Linux installed on a Laptop as a Host machine --installing Windows GUESTS is eally simple and infinitely flexible -- use KVM/QEMU and on any desktop GUI whether GNOME, KDE,Mint etc you can install the VM manager which is a GUI VM manager and the VM system is really efficient.

Of course if you have a Windows Host HYPER-V makes an excellent fast platform for adding other Windows or Linux VM's too.

Cheers
jimbo

glasskuter · Mar 26, 2023

jimbo45 said:
Most "Live" distros if you install from them

I've only installed Linux once just to see how it would run on an old ill equipped laptop I donated to a group that was providing laptops to underprivileged kids. But, I've used the heck out of that usb drive from computer to computer since.

jimbo45 · Mar 26, 2023

@mackie

@glasskuter

Here's the GUI for Virtual machine manager (KVM/QEMU) for one of my W11 VM's.

And you can also edit the config file for the VM directly if you prefer by clicking the XML tab --it's an XML file but any text screen editor also works.

Add / remove hardware at will.

On this VM I'm not using any host network card but an attached physical USB wifi->USB device. Saves messing about with "Bridging" / NAT and problems with HOST / GUEST communication.

And now the VM W11 "Birdie Build"

Cheers
jimbo

ApertureScience · Nov 7, 2023

merlin02131 said:
Good Morning

Thx for the ear to listen ! My task today is simple as I get an early start ! Resolve my Windows licensing issues on my test rebuild ( Laptop first ) !
Tomorrow ( Saturday ) I will go back to my Club and start the process over to see
Again the false positives are killing as they make you chase ghosts !
I might add that external tracing is/was difficult as this infection .
Again false positives as it could be something very simple but I hope the rebuilds prove me wrong and that its a hard drive virus .
Some facts point to human controlled after it reaches out from the infected pc like Sam changes , Share searches etc.

I will DEF post after my laptop is cleaned and tested !

Thanks Glasskutter and Everyone !
I am sure we are getting close !

Regards

Rich

Hi merlin!
I found your story after searching for days, I have the same Problem.
I noticed some files I Had no access to. Trying to change policies rights didn't work.
So I started to dig deeper and deeper.. rigistry was completely destroyed, Bitlocker deactivated , Malware-Bytes primium unable to activate real time scan, to do task completely changed and Remote Connections with new Accounts with more rights than me.

So I plugged Off the WiFi Adapter and shut down the system.
Opened my Laptop to research about the attack, and noticed the same S*** on the machine.
So I instantly reseted the whole Windows (the Computer is new anyways)
But it didn't helped!
When I enter BIOS in the laptop, the Harddisk is called some new name.
I also tried to run "disk clean all" though cmd in Windows CD Setup, but there are still some files in the drive..
I also tried to run Tron Script that didn't worked either..
Did you manage to remove everything?

kelper · Nov 7, 2023

I don't think any anti-malware program can detect rootkits from within Windows, you would have to boot into a separate OS, RE or PE environment.
.
My favoured AV does not have have this option but looks out for any activity that is malicious or suspicious.

hdmi · Nov 8, 2023

kelper said:
I don't think any anti-malware program can detect rootkits from within Windows, you would have to boot into a separate OS, RE or PE environment.
.
My favoured AV does not have have this option but looks out for any activity that is malicious or suspicious.

There exist a few scenarios where even that could potentially still also fail. Experienced hackers can hide malicious code in other places such as the firmware of a router or of an SSD so it gets reactivated from there after the entire system was presumed to be clean. Sure, background monitoring can look out for suspicious activity. But that involves generic detection methods and scanning techniques, which are prone to giving false alerts and getting always hammered with warning messages that a lot of people choose to suppress due to the getting always hammered part.

Isolation software like Sandboxie-Plus can help to mitigate the threat, as it lets you selectively restrict access to resources and filesystem modifications for those specific processes/programs that you think might be a concern. As an example, recently a critical vulnerability was discovered in libwebp that affected pretty much all popular web browsers. Running my Firefox Portable sandboxed under Sandboxie-Plus (which I've been doing over the past decade) is what makes me feel a tad more secure than relying on AV scanning algorithms each and every single one of which persistently failed to inform me that libwebp had a huge gaping security hole in it until finally, at very long last someone yelled to stop the presses and the news got out.

Jbengal93 · Feb 17, 2024

merlin02131 said:
Hi Folks

Found this site by searching for solutions to a nasty hack as THIS is a great discussion !! A club i belong to someone clicked and sent it all over the network and by then it was too late ! i had vpn'ed in and now from 1 pc , 4 more were infected and God only knows how many others . Trying to isolate , built a firewall over the past few months as I scanned/searched malware from every company and they all said you are clean ! My pc has become somewhat of a honeypot with no info on it !
Using remote connections that I somehow have not completely figured out how but the tools were terminal server and PowerShell ( Always concerned about key stroke stuff as well )as they destroyed 4 rebuilds . Each attack I saw how they got in , chased evidence of so many false positives like process after process to no avail. Since September I must have built over 200 entries in the firewall until I found they broke in after every online suggestion, registry change , SAM takeover , changing the registry settings locking the pc accounts and rendering it useless as i had to rebuild etc. Hardened pretty good right now with PowerShell remote disabled and term svc remote the same way ( blocked some ports as well )! So what i found was they somehow downloaded a worm and are real stealthy ! Replaced all my tv boxes ( FIOS) and was hoping to use cr 1000 FIOS router in bridger mode but too many problems setting it up ! Using rdp/IPV6 UDP methods they start some sort of a session on my pc ands call home. Cannot find how this is started Saturday mornings on my pc ! I took the ethernet cable out and they used the wifi adapter ! When you restart/shutdown - someone is using your pc remotely ! Came back in and found changes to the pc ... So now hopefully , and I say that loosely , having them blocked in or out with MS Defender Norton and Malwarebytes running , Tried Sophos but no help , and installed firewall ,I turned my attention to my pc again and am done using the recovery partition or windows clean restore as I found that it does NOT remove ALL files (clean drive completely ). I will be trying a Windows 11 Pro disk restore via dvd and will wipe the drive first and perform a clean install , I also tried resetting the bios twice and no good ! Every company out there tells you how to protect but it blew right thru all of my previous hardening ... If it is in memory then this should at least tell me to look at the hardware !

Thx

Regards

Merlin02131

Hi Merlin - Here I am at 3:22 AM reading your post. In the same exact boat as you are and I felt compelled to reply in hopes it might help ease what you are feeling. I have rebuilt so many darn machines in the past 6 months, I could do it in my sleep. It sounds like the same exact thing I have, and now my entire family has.
I do not claim to be an expert in anyway. But, what I certainly am, is a nasty junk yard dog. I don't quit, no matter what. There is little to no information online about this, and I would venture a guess that Microsoft knows about it at this point. I knew something was wrong in May of 23 when I was reading event viewer logs of my new Asrock rig. Not a gamer....just like cool stuff. Well, about a week ago, I figured it out. You are most likely not working off your hardware. You are working off a Hypervisor Virtual Machine, and probably have been for quite some time. This is why no....and I mean NONE of the well known malware / anti-virus programs pick this up. There are measures /scripts put in place that render these programs useless. How do I know this? I have the complete list of files used to deploy this. What I viewed and have witnessed has been shocking. The organization of the files Itself, the speed of deployment, the depth of detail, It makes use of the, dare I say the Microsoft-Scumbags Windows 11 product very well. I said I liked nice things, remember? It uses catsrv catalogs, it uses any tunnel open via VPN, it uses and creates virtual tunnels, any neighboring signal, virtual ports, virtual adapters and the list goes on. . It does not matter if you have all ports closed and BT/WiFi off AND in Airplane mode. It stil will connect to the server via nieghboring devices, or whatever, which actually happens to be an old crappy server at that, with a $12 CPU, in my case..It will format an Anti-Virus usb drive and fill it with more crap immediately. 20 seconds. I watched it happen. With my own eyes. I was able to acquire logs of it "almost speaking to itself" in plain English, like a chatbot
,after the 1st time I booted from USB to a "Fix me stick". It immediately identified the product, pulled the product url and whatever data it could via the net and immediately wrote is own scpirt based off the existing library. The 2nd time inserted it, with no signs of connection, and outside the HyperV, it immediately formated and uploaded some crap to it.....

Even if and when you escape the 1st step which is the Hypervisor VM, you will see a image on the top of your screen. And it will say Microsoft Windows < Version >. Let me save you some time. This aint a version of Windows you can buy at Walmart. This version of Windows was never released to the public and must be custom. The OS on your physical hardware has been permanently altered. And I fear that anything that comes in contact with this Godzilla is toast. But, what the hell.....ya gotta fight back, right?

Boot the PC as you normally would. Pull up system configuration menu, after disabling all services, you should immediately, and fast, post to Safe Mode minimal. You ain't gonna have network anyway! Then device manager asap, and don't crap your pants, but start disabling as many of the virtual adapters/drivers as possible. There is going to be a lot. So don't worry about if you are going to need it. If it looks like it ain't right...bye bye. There are going to be several legitimate drivers that are comprised. Message me and I can send you a list. But, pull up task manager and kill anything with SRVHST on it. Anything with Network, kill it. Anything Font related, kill it. LSA....kill it. Depending on how long you have had it and if you shut power off and dont have an internal battery will depend how many services it has captured. Almost all of them were for me on some machines and others that had been shut off, the spares, alot better shape. I think I pissed it off when it what I assume is unknowingly locked me out on a blue screen with a command prompt window showing Admin System 32 boot X: What a mistake that was....I DISKPART'ED- CLEAN ALL command THE almost 4TB VMdrive that I was still connected to somehow. Even got a video with a few cuss words in it. LIST DISK showed 3 drives. My NVME, which was listed as disk 0, disk 1 which I am assuming was a partion for the Vdrive and disk 2 was the Drive. Once you get out of the VM and close enough processes services to render the control halfway, toy will be able to navigate some of the files on your psychical hardware. You will likley not recognize anything. It was round filed a long time ago. But, if you had a nvme installed, it will make use of the speed and size for some of their libraries to offset bandwidth I am assuming.

The full filing system is brilliant in how it lists them actually. I have a bunch of rigs and laptops, like alot. Every single one was on this HyperV VM rootkit. It is a conglomerate of every tool built into Windows 11 + Hypervisor put together in compressed hidden file, scripted and automated for every scenario possible. I've read the dam logs, PowerShell, Terminal, and Linux and scraped through the files. It's Flippin crazy. Imo , it absoutley has to utilize some sort of AI assistance,.
Everything described in this discussion and another I was just reading on the Microsoft community, is dead on what this thing does. The one gentleman on the Microsoft Community Forum, that said he solved this replacing his router is completely wrong or he was paid off by Microsoft.

Microsoft has made sure that they built in ways to get there advertising dollars, or. In my amateur opinion here, this was not entirely there idea. This was not done buy an outfit without significant resources. Well that's my little adventure, I hope at least a small win might help. Best of Luck. I don't know where to go from here. And btw.....if it ain't already on your phone. It will be shortly after if you decide to pull this stunt off. Go buy a bunch of fast jump C drives and 3.1 or 2 USB A's. You'll need'em. OR I COULD BE ENTIRELY WRONG !

JB

Haydon · Feb 17, 2024

hdmi said:
There exist a few scenarios where even that could potentially still also fail. Experienced hackers can hide malicious code in other places such as the firmware of a router or of an SSD so it gets reactivated from there after the entire system was presumed to be clean. Sure, background monitoring can look out for suspicious activity. But that involves generic detection methods and scanning techniques, which are prone to giving false alerts and getting always hammered with warning messages that a lot of people choose to suppress due to the getting always hammered part.

Isolation software like Sandboxie-Plus can help to mitigate the threat, as it lets you selectively restrict access to resources and filesystem modifications for those specific processes/programs that you think might be a concern. As an example, recently a critical vulnerability was discovered in libwebp that affected pretty much all popular web browsers. Running my Firefox Portable sandboxed under Sandboxie-Plus (which I've been doing over the past decade) is what makes me feel a tad more secure than relying on AV scanning algorithms each and every single one of which persistently failed to inform me that libwebp had a huge gaping security hole in it until finally, at very long last someone yelled to stop the presses and the news got out.

Windows has a built-in sandbox, although there are some system requirements.

How to enable Windows Sandbox on Windows 11/10

Windows Sandbox makes your computer secure. Learn how to disable or enable and use Windows Sandbox on Windows 11/10 Pro or Enterprise Editions.

www.thewindowsclub.com

How to enable Windows Sandbox in Windows 11/10 Home

There is a small hack that will let anyone enable Windows Sandbox in Windows 11/10 Home. To disable it you can use CMD, Batch Fileor ControlPanel.

www.thewindowsclub.com

hdmi · Feb 18, 2024

Haydon said:
Windows has a built-in sandbox, although there are some system requirements.

How to enable Windows Sandbox on Windows 11/10

Windows Sandbox makes your computer secure. Learn how to disable or enable and use Windows Sandbox on Windows 11/10 Pro or Enterprise Editions.

www.thewindowsclub.com

How to enable Windows Sandbox in Windows 11/10 Home

There is a small hack that will let anyone enable Windows Sandbox in Windows 11/10 Home. To disable it you can use CMD, Batch Fileor ControlPanel.

www.thewindowsclub.com

Windows Sandbox is severely lacking as for what it can do; there's not very many feature-enhancements/settings for the user to configure so its usefulness is still rather limited IMO.