infections which can survive a reinstall of Windows

pseymour said:

I don't have any advice, because quite honestly, I think this is all made up. There are phrases in here that sound computer-ish but that don't actually make sense.

• prefetch jobs began executing
• commands are so obfuscated in the filesystem
• replace hollow processes with whatever it wants to
• phase 1 seems to be a lot of windows sxs and hypervisor stuff

Yes, that's how Windows is, in places.



Seems like a not-so-great policy.



Except for the "nonsensical" label, this is actually somewhat true.

Maybe I'm wrong; it's happened once or twice, and if this really is a legit issue, I hope it gets cleaned up. But I've been around the block a couple of times.

Click to expand...

I am just barely technology adjacent when it comes to the OS level stuff, but have taken this research up myself after wasting significant money on avenues that werent fruitful. Unplugging the battery during a fake windows update catches things that would have no trace if the job finished. It seems like there is a local network policy or something actually leveraging the windows update process to advance to a next phase of complexity. If I wait - those logs and temp files are gone.

I can see what you mean on the language I used to articulate symptoms and observations not being how someone experienced would phrase it. I assure you this is not made up and am perfectly open to the fact that I might be wrong.

I am asking for your help - specifically if I can solve how Office16 keeps reinstalling itself immediately after a clean install, along with a ton of Microsoft Insights developer stuff and custom apps? If it would give me some new threads to pull on. What might show that Im full of crap? Ill run it and show you. Clean install to me means using a clean, official key from windows media creation tool, running a full install/deletion of data and not a repair, deleting all partitions on the ssd, kicking off a "clean all" on the disk, and then reformatting and proceeding with the install. I bypassnro and do not log in to any actual accounts during the config stage.

I have bought new laptops just to make clean install keys. I bought a tableu usb writeblocker to prevent said keys from getting corrupted and to be able to forensically clone these drives byte for byte and not lose evidence. Ive gone through 10 brand new SSD's trying to test different things. I walked into best buy and bought and honest to goodness Windows 11 Pro boxed edition in the hopes that would clear up the office16 stuff. But nope. Every new laptop and tower Ive bought, every laptop nearby, all compromised with the same behavior despite being from 2025 and absolutely never came anywhere near any office16 stuff.

16.x is the version number for every version since 2016, if I recall correctly. I haven't done a clean install of an original Windows ISO in a while, but it wouldn't surprise me if there were "Office 16" references on it somewhere.

View attachment 154265

There are the rare instances of malware that can survive even a format of a disk storage device. One of the notable instances is from a group known as the "Equation Group" which is believed to be operated by the NSA. The malware is stored within the disk drive firmware itself and is not at all visible to the operating system. The only recovery option would be replacing the storage device. Both China and the USA have been known to implement chips in technology destined for certain targets of interest.

These types of malware are extremely rare and are only associated with nation state threat actors and their targets.

pseymour said:

16.x is the version number for every version since 2016, if I recall correctly. I haven't done a clean install of an original Windows ISO in a while, but it wouldn't surprise me if there were "Office 16" references on it somewhere.

View attachment 154265

Click to expand...

Appreciate the thoughts and reply.

1) Office installed locally isnt part of the default Windows 11 ISO. Certain parts of the suite are but the classics like excel, word, powerpoint are not. So not only should Office 16 versions of these programs be auto installed, none of them should be.

2) I'm not referring to the build number. Even MS Support admitted theyre packaged up as Office 16 programs but because its out of support they wouldnt dig in.

neemobeer said:

There are the rare instances of malware that can survive even a format of a disk storage device. One of the notable instances is from a group known as the "Equation Group" which is believed to be operated by the NSA. The malware is stored within the disk drive firmware itself and is not at all visible to the operating system. The only recovery option would be replacing the storage device. Both China and the USA have been known to implement chips in technology destined for certain targets of interest.

These types of malware are extremely rare and are only associated with nation state threat actors and their targets.

Click to expand...

neemobeer said:

There are the rare instances of malware that can survive even a format of a disk storage device. One of the notable instances is from a group known as the "Equation Group" which is believed to be operated by the NSA. The malware is stored within the disk drive firmware itself and is not at all visible to the operating system. The only recovery option would be replacing the storage device. Both China and the USA have been known to implement chips in technology destined for certain targets of interest.

These types of malware are extremely rare and are only associated with nation state threat actors and their targets.

Click to expand...

I know thats the party line in the field. I'd love for you to poke holes in what Ive attempted.

Your comment about preconfiguring machines is interesting. I actually went back to ebay to purchase another refurbed acer at one point to look into one of these machines completely fresh out of the box and was blocked from doing so. Ebay threw an error that Id already purchased the limit of 10 and per the shop policy I cannot buy more. I always found it very odd. I never bought 10, I bought 6, and I wasnt even logged in.

jbnapc said:

Appreciate the thoughts and reply.

1) Office installed locally isnt part of the default Windows 11 ISO. Certain parts of the suite are but the classics like excel, word, powerpoint are not. So not only should Office 16 versions of these programs be auto installed, none of them should be.

2) I'm not referring to the build number. Even MS Support admitted theyre packaged up as Office 16 programs but because its out of support they wouldnt dig in.

Click to expand...

I didn't say Office was installed as part of Windows, so I'm not sure what you're on about there.

I also was not referring to the build number. I said, "16.x is the version number for every version since 2016, if I recall correctly." Office 2016 is out of support, but Office 16, as in the version numbers starting with 16.x, could still be in support, depending on what it is. I showed the about box for my installation of 365, and the version number is 16.x.

Seems like you are looking for things to be wrong. Unless you have some evidence that something actually is wrong, rather than tossing around computery terms, I've lost interest.

pseymour said:

I didn't say Office was installed as part of Windows, so I'm not sure what you're on about there.

I also was not referring to the build number. I said, "16.x is the version number for every version since 2016, if I recall correctly." Office 2016 is out of support, but Office 16, as in the version numbers starting with 16.x, could still be in support, depending on what it is. I showed the about box for my installation of 365, and the version number is 16.x.

Seems like you are looking for things to be wrong. Unless you have some evidence that something actually is wrong, rather than tossing around computery terms, I've lost interest.

Click to expand...

I understand - and sincerely appreciate your time and energy. Your responses are dismissive which I get that I deserve. You know a lot and I dont. But Office 16 is a specific release of the MS Office suite and not part of 365. Its a decade old.

Cheers and have a good day my friend. For the sake of defending my response to others following along, you attempted to explain away my symptoms by implying perhaps I misunderstood altogether and its actually a modern version of Office. I must have just gotten confused by the version number (its actually the build number based on your own screenshot, not the version number) so its nothing to worry about.

My responses to you were explaining why your response is not making the points you think it makes. You didnt explicitly say Office is included in Windows 11 but your response implies you think this a non issue because its probably just a misunderstanding on nomenclature/release details. The point I am making is that even if that were true, MS Word should not be there after a comprehensive clean install. So that line of thinking is a dead end and doesnt address the symptoms I am seeking help with.

Ive asked you what evidence youd like to see and you havent answered, but the offer stands. I am not going to spend hours compiling things for you just to be waved off and dismissed but if you are genuinely curious and have a specific smoking gun in mind that would convince you, let me know and I will provide it.

jbnapc said:

But Office 16 is a specific release of the MS Office suite and not part of 365. Its a decade old.

Click to expand...

No, Office 2016 is a specific release of Office. "16" is the major version number for every version from that release onward. So it's perfectly fine to see references to Office 16 even today. You keep mentioning the build number. You do realize the build is part of the version number right? In Microsoft's usage of version numbers, the build number is the third part of the Major.Minor.Build.Revision format they like to use.

jbnapc said:

you attempted to explain away my symptoms by implying perhaps I misunderstood altogether and its actually a modern version of Office.

Click to expand...

I didn't explain away anything. I said it wouldn't surprise me if there were references to Office 16.

All of this posting arguing against stuff I didn't say, you could have posted evidence that something was wrong, but you haven't.

This thread is old and on its sixth page. Start a new thread of your own with actual symptoms, and someone will help you.

pseymour said:

No, Office 2016 is a specific release of Office. "16" is the major version number for every version from that release onward. So it's perfectly fine to see references to Office 16 even today. You keep mentioning the build number. You do realize the build is part of the version number right? In Microsoft's usage of version numbers, the build number is the third part of the Major.Minor.Build.Revision format they like to use.

I didn't explain away anything. I said it wouldn't surprise me if there were references to Office 16.

All of this posting arguing against stuff I didn't say, you could have posted evidence that something was wrong, but you haven't.

This thread is old and on its sixth page. Start a new thread of your own with actual symptoms, and someone will help you.

Click to expand...

You are kind to have responded this much. I didnt post here hoping someone would solve it for me for free and thanks for your time.

I felt relief stumbling on this thread and seeing someone else has battled a similar issue, and in the sea of responses like the ones Ive gotten today basically saying "yea theoretically maybe... but no...", which is an understandable response when youve never seen it, it can feel good to not be alone in it. My hope was someone else might see it and maybe we can help each other. I'll keep my hopes up and leave it here.

If anyone in the future deals with a similar issue please feel free to message anytime, and @Merlin id love those details you offered to share via dm whenever you get a chance.

infections which can survive a reinstall of Windows​

Click to expand...

its referred to as 'Ghosts in the system'

best of luck Steve ..