Hi Folks
Found this site by searching for solutions to a nasty hack as THIS is a great discussion !! A club i belong to someone clicked and sent it all over the network and by then it was too late ! i had vpn'ed in and now from 1 pc , 4 more were infected and God only knows how many others . Trying to isolate , built a firewall over the past few months as I scanned/searched malware from every company and they all said you are clean ! My pc has become somewhat of a honeypot with no info on it !
Using remote connections that I somehow have not completely figured out how but the tools were terminal server and PowerShell ( Always concerned about key stroke stuff as well )as they destroyed 4 rebuilds . Each attack I saw how they got in , chased evidence of so many false positives like process after process to no avail. Since September I must have built over 200 entries in the firewall until I found they broke in after every online suggestion, registry change , SAM takeover , changing the registry settings locking the pc accounts and rendering it useless as i had to rebuild etc. Hardened pretty good right now with PowerShell remote disabled and term svc remote the same way ( blocked some ports as well )! So what i found was they somehow downloaded a worm and are real stealthy ! Replaced all my tv boxes ( FIOS) and was hoping to use cr 1000 FIOS router in bridger mode but too many problems setting it up ! Using rdp/IPV6 UDP methods they start some sort of a session on my pc ands call home. Cannot find how this is started Saturday mornings on my pc ! I took the ethernet cable out and they used the wifi adapter ! When you restart/shutdown - someone is using your pc remotely ! Came back in and found changes to the pc ... So now hopefully , and I say that loosely , having them blocked in or out with MS Defender Norton and Malwarebytes running , Tried Sophos but no help , and installed firewall ,I turned my attention to my pc again and am done using the recovery partition or windows clean restore as I found that it does NOT remove ALL files (clean drive completely ). I will be trying a Windows 11 Pro disk restore via dvd and will wipe the drive first and perform a clean install , I also tried resetting the bios twice and no good ! Every company out there tells you how to protect but it blew right thru all of my previous hardening ... If it is in memory then this should at least tell me to look at the hardware !
Thx
Regards
Merlin02131
Hi Merlin - Here I am at 3:22 AM reading your post. In the same exact boat as you are and I felt compelled to reply in hopes it might help ease what you are feeling. I have rebuilt so many darn machines in the past 6 months, I could do it in my sleep. It sounds like the same exact thing I have, and now my entire family has.
I do not claim to be an expert in anyway. But, what I certainly am, is a nasty junk yard dog. I don't quit, no matter what. There is little to no information online about this, and I would venture a guess that Microsoft knows about it at this point. I knew something was wrong in May of 23 when I was reading event viewer logs of my new Asrock rig. Not a gamer....just like cool stuff. Well, about a week ago, I figured it out. You are most likely not working off your hardware. You are working off a Hypervisor Virtual Machine, and probably have been for quite some time. This is why no....and I mean NONE of the well known malware / anti-virus programs pick this up. There are measures /scripts put in place that render these programs useless. How do I know this? I have the complete list of files used to deploy this. What I viewed and have witnessed has been shocking. The organization of the files Itself, the speed of deployment, the depth of detail, It makes use of the, dare I say the Microsoft-Scumbags Windows 11 product very well. I said I liked nice things, remember? It uses catsrv catalogs, it uses any tunnel open via VPN, it uses and creates virtual tunnels, any neighboring signal, virtual ports, virtual adapters and the list goes on. . It does not matter if you have all ports closed and BT/WiFi off AND in Airplane mode. It stil will connect to the server via nieghboring devices, or whatever, which actually happens to be an old crappy server at that, with a $12 CPU, in my case..It will format an Anti-Virus usb drive and fill it with more crap immediately. 20 seconds. I watched it happen. With my own eyes. I was able to acquire logs of it "almost speaking to itself" in plain English, like a chatbot
,after the 1st time I booted from USB to a "Fix me stick". It immediately identified the product, pulled the product url and whatever data it could via the net and immediately wrote is own scpirt based off the existing library. The 2nd time inserted it, with no signs of connection, and outside the HyperV, it immediately formated and uploaded some crap to it.....
Even if and when you escape the 1st step which is the Hypervisor VM, you will see a image on the top of your screen. And it will say Microsoft Windows < Version >. Let me save you some time. This aint a version of Windows you can buy at Walmart. This version of Windows was never released to the public and must be custom. The OS on your physical hardware has been permanently altered. And I fear that anything that comes in contact with this Godzilla is toast. But, what the hell.....ya gotta fight back, right?
Boot the PC as you normally would. Pull up system configuration menu, after disabling all services, you should immediately, and fast, post to Safe Mode minimal. You ain't gonna have network anyway! Then device manager asap, and don't crap your pants, but start disabling as many of the virtual adapters/drivers as possible. There is going to be a lot. So don't worry about if you are going to need it. If it looks like it ain't right...bye bye. There are going to be several legitimate drivers that are comprised. Message me and I can send you a list. But, pull up task manager and kill anything with SRVHST on it. Anything with Network, kill it. Anything Font related, kill it. LSA....kill it. Depending on how long you have had it and if you shut power off and dont have an internal battery will depend how many services it has captured. Almost all of them were for me on some machines and others that had been shut off, the spares, alot better shape. I think I pissed it off when it what I assume is unknowingly locked me out on a blue screen with a command prompt window showing Admin System 32 boot X: What a mistake that was....I DISKPART'ED- CLEAN ALL command THE almost 4TB VMdrive that I was still connected to somehow. Even got a video with a few cuss words in it. LIST DISK showed 3 drives. My NVME, which was listed as disk 0, disk 1 which I am assuming was a partion for the Vdrive and disk 2 was the Drive. Once you get out of the VM and close enough processes services to render the control halfway, toy will be able to navigate some of the files on your psychical hardware. You will likley not recognize anything. It was round filed a long time ago. But, if you had a nvme installed, it will make use of the speed and size for some of their libraries to offset bandwidth I am assuming.
The full filing system is brilliant in how it lists them actually. I have a bunch of rigs and laptops, like alot. Every single one was on this HyperV VM rootkit. It is a conglomerate of every tool built into Windows 11 + Hypervisor put together in compressed hidden file, scripted and automated for every scenario possible. I've read the dam logs, PowerShell, Terminal, and Linux and scraped through the files. It's Flippin crazy. Imo , it absoutley has to utilize some sort of AI assistance,.
Everything described in this discussion and another I was just reading on the Microsoft community, is dead on what this thing does. The one gentleman on the Microsoft Community Forum, that said he solved this replacing his router is completely wrong or he was paid off by Microsoft.
Microsoft has made sure that they built in ways to get there advertising dollars, or. In my amateur opinion here, this was not entirely there idea. This was not done buy an outfit without significant resources. Well that's my little adventure, I hope at least a small win might help. Best of Luck. I don't know where to go from here. And btw.....if it ain't already on your phone. It will be shortly after if you decide to pull this stunt off. Go buy a bunch of fast jump C drives and 3.1 or 2 USB A's. You'll need'em. OR I COULD BE ENTIRELY WRONG !
JB
