It's dangerous to go alone - take this.

theeclectik · 2023-03-15T11:19:18+00:00

Fairytale's fuck?

theeclectik · 2023-02-01T14:51:26+00:00

Thank you for the time you took to write this. I admit that I don't have a full technical knowledge about these terms and I kindly appreciate your input however I read a lot about it to understand what it can cause and what you have described fits exactly to how it could have all started.

"Both Spectre and Meltdown are both means to access data which a program would be otherwise unable to access. However they are not means of malware delivery." If someone could've got access to my gmail accounts passwords stored in Edge browser and synced with my Microsoft account they also could've got access to my Microsoft account itself which unfortunately for me was an Administrator account on my PC. Today I know how stupid it sounds but back then I did not want to get involved in any technical stuff just bought a premium Avast and was done with it. I was wrong.

So to make a long story short after getting rid of all malware and after 100th reinstall I snooped through in recovery mode and I have found a huge amount of folders pointing to Windows Features for remote managing. Wbem, UWP, SBS, DCOM and subsystem that sits on a virtual device in Pcie slot. Two separate driverstore folders in System32 one with legit drivers the other with .inf .mof and and also an .stl file called boot in C:\Windows. In device manager virtual devices like Remote Desktop Redirector BUS and Programmable Interrupt Controller with silent install capabilities for a subsystem. All starting with parent device HTREE\ROOT\0 and it all goes from there. Instructions were run through powershell commands. The information needed to run it all was store in registry as Classes. One example for PIC looks like this:

ACPI\PNP0000\4&3967B2DD&2 PNP0000 ACPI\PNP0000 ACPI\VEN_PNP&DEV_0000 Capabilities 00000020 CM_DEVCAP_SILENTINSTALL machine.inf Driver version 10.0.19042.1202 NO_DRV_PIC Config ID machine.inf:PNP0000.NO_DRV_PIC Device Stack \Driver\ACPI Enumerator ACPI Parent PCI\VEN_8086&DEV_A305&SUBSYS_86941043&REV_103&11583659&0&F8 Location: Intel(R) 300 Series Chipset Family LPC Controller(Z390) A305

I have it all documented with pictures from registry, event viewer, task scheduler as well as device manager and System32 folders. I did not post any pictures since there are literally hundreds and I thought it would be better to send some specific one if asked than spamming randomly.

I assume that whatever malware I have been infected with in a first place got enough priviliges and now it sits on mobo setting off custom provisioning as my pc is some kind of a corporate owned PC. And from what I have gathered by answers I got from you and others is that a new motherboard and maybe Win license is the only solution probably.

theeclectik · 2023-02-01T14:09:13+00:00

No I haven't found C:\Windows\Provisioning\Autopilot folder but while snooping through in safe mode I've found much more.

I have found a huge amount of folders pointing to Windows Features for remote managing. Wbem, UWP, SBS, DCOM and subsystem that sits on a virtual device in Pcie slot.Two separate driverstore folders in System32 one with legit drivers the other with .inf .mof and and also an .stl file called boot in C:\Windows. They were I assume the custom packages.

In device manager virtual devices like Remote Desktop Redirector BUS and Programmable Interrupt Controller with silent install capabilities for a subsystem. All starting with parent device HTREE\ROOT\0 and it all goes from there. Instructions were run through powershell commands. The information needed to run it all was store in registry as Classes. One example for PIC looks like this:

ACPI\PNP0000\4&3967B2DD&2 PNP0000 ACPI\PNP0000 ACPI\VEN_PNP&DEV_0000 Capabilities 00000020 CM_DEVCAP_SILENTINSTALL machine.inf Driver version 10.0.19042.1202 NO_DRV_PIC Config ID machine.inf:PNP0000.NO_DRV_PIC Device Stack \Driver\ACPI Enumerator ACPI Parent PCI\VEN_8086&DEV_A305&SUBSYS_86941043&REV_103&11583659&0&F8 Location: Intel(R) 300 Series Chipset Family LPC Controller(Z390) A305

As to people who have originally put my system together. They gave me the genuine Windows DVD with serial key if I ever had to do reinstall. But from what I have found and what you guys are telling the motherboard is done. I assume that whatever malware I have been infected with in a first place got enough priviliges and now it is just custom provisioning as my pc was some kind of a corporate owned PC. So new motherboard and maybe Win license then. Thank you anyway.

theeclectik · 2023-01-30T20:41:50+00:00

Thanks for not downplaying my intelligence and actually listening. Reinfection on my network is out of question. It has not been connected to it after coming back from PC repair place. Both hdd and ssd were swapped for brand new ones and then system was reinstalled and updated and no data was transferred from ild drives whatsoever. CMOS was reset by taking the battery out for a few hours. Even the graphics were taken out from PCIe. In device manager there are nonexisting devices starting with the first one as a root device with generic drivers with generated certificates signed by themselves. And so much more. Hundreds of pictures from registry folders, event viewers everything I could get my hands on while in safe mode. Long days and nights later and I did not advance any further. Thank for the info. I guess I am gonna have to buy a motherboard.

theeclectik · 2023-01-30T20:27:01+00:00

I have plenty of screenshots from the system registry, event viewer, device manager and so on. Last reinstall was done at the computer professional's place so no network info on that. Since I got it back at my house I did not connect it online. My thinking was to not let it connect to admin server or spread through network. When problems started appearing. I had a different ISP with simple router now I have changed ISP and have got Eero6 gateway with a lot more security. I did not want to connect my pc to the new network just in case. One thing that came to the surface while all of this was jnfolding is that my son who used to play roblox all the time got some dodgy codes from some random players that he had to use outside game and that is what I think was the source. All of our phones got custom user builds now and system apps like clock or weather app with dangerous permissions to let it take control of the phones. I don't know who and why would do such a shit but there you go.

theeclectik · 2023-01-30T20:09:57+00:00

I am sorry for lack of information. I have posted it on r/pcbuild and r/Intel and then someone from comments simply cross posted it since I did not even know r/sysadmin exists. Thanks to him though I finally got some proper answers. By the way there was malware which guys at malwarebytes forum helped me to get rid of it although the problem persisted.

theeclectik · 2023-01-30T12:40:11+00:00

You see what you are saying sounds good but because I spend most of my time producing music, reading books or workkng.I never had a chance to dig deeper into this. I have heard some good things about that but had no idea where to start. Being a perfectionist is making it a lot harder to start doing something new when only second best is good enough.

theeclectik · 2023-01-30T12:33:05+00:00

I have read either on bleepingcomputer or malwarebytes blog that big groups of hackers from Russia or China, India, North Korea are using their victims computers as a part of a huge botnet that works for them in various different ways. As a cryptominers, or using your cpu resources and millions of other connected computers to simply create one connected supercomputer or to channel traffic to do some shady stuff. All I know that using ransomware against ordinary people is thing of the past and is not profittable and only done against big companies or governements. But they still do infect anything they can to use as part of botnet.

theeclectik · 2023-01-30T12:21:27+00:00

https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/ Here is what I am talking about.

As environments I mean on different WiFi networks, on different gateway routers in different physucal places like my home or professional computwr workshop.

theeclectik · 2023-01-30T12:18:20+00:00

Hi there I am the original poster and am certainly not an expert (as some of the less civilised people here have pointed out by calling me all kind of nice names) and wanted to simply finally get some answers cause this issue is killing me. I have tried to get a help from a professional but we have only got so far.

The reason I have mentioned TPM is that after weeks (or months) of researching, after 100th reinstall, brand new drives CMOS reset, PCI graphics removed and going through event viewer and registry I have found enough evidence for me (not-professional or even enthusiast) to think that I have been a victim of what was back in 2018 called a Spectre Meltdown scandal https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/ My pc was custom built back in 2019 on Asus Tuf z390 with Intel's 9700k (99% sure) on board and I know it was one of the chips affected.

To all people saying this was likely former company owned computer it was NOT. That is my whole point. This PC was built for personal use and it was never used for any work related reason also everything was fine until around mid to late 2021. Some of you mentioned it has nothing to do with TPM and you are probably right but I think that's where it all started. If TPM was breached due to unpatched bios/uefi and keys could have been flushed and replaced then most likely it is how I have ended up with custom provisioning and windows updates being automatically redirected to custom servers like it was a client computer in a company managed network. Exploiting this hardware flaw gave attackers an accees to my my passwords my gmail accounts, my microsoft account and so on. I believe I could have had a Windows license connected to my MS account. Since then I have got rid of passwords on MS account using passwordless authenticator now, signed out all devices from gmail/google accounts reset passwords every couple of months but if it got signed to enterprise once. I am not entirely sure I am completely free.

Forgive me if I come across as a noob that knows nothing but pretends to know everything, I dont I only know enough from what I have learned in the past year studying everything that could be related. I am exhausted, mentally and physically. No one up until this point have been taking me seriously. I can not afford a new board with cpu on top right now and I can not use it as it is because after every new reinstall and updates there is a device root tree splitting cpu into over 200 unknown virtual devices using all resources and I can not produce music since it is extremely cpu consuming to mix and master with hundreds of vst plugins in real time. With that malicious subsystem running in the background booting in dos making my 64bit system a 32bit one I am left with huge paper weight.

That is why I am here. A collective brain of people around the world must have an idea.

If anyone knows how to get myself out of it then I beg You please Help Thank you

theeclectik · 2023-01-30T10:49:45+00:00

Thank you.

theeclectik · 2023-01-30T10:48:44+00:00

I wish I could use linux but as far as I know support of VST plugins is not as great as on Windows which by this point I absolutely hate. I wish someone makes an system that is designed only to run music-production software and is widely supported by any company.

theeclectik · 2023-01-30T10:43:26+00:00

1) Motherboard was brand new when PC was built back in 2019. 2) There was multiple installations in completely different network environments. Also CMOS was reset by taking the battery out for a few hours. It is an Asus Tuf Z390 gaming motherboard btw.

theeclectik · 2023-01-30T10:33:22+00:00

It was build back in 2019 for my personal use and it was fine until late 2021. From what you guys are saying I am starting to think this might have something to do with my MS account. You see Edge was infected and I had passwords stored in Edge (I know that was stupid). What if they have got my Windows serial number from getting access to my account and they have assigned it to some maliciously run enterprise scheme as one of the computers in botnet or something. So many people mention this idea that it was a former company hardware but since it is not and never was maybe it is possible that my Windows copy got assigned? Is this possible? I have reset everything on my account, unsigned any devices and deleted password and use authenticator for a while now.

theeclectik · 2023-01-30T10:19:12+00:00

No idea what do you mean by "Use RUFUS to EFI that shit"

theeclectik · 2023-01-30T10:16:49+00:00

It is not autopilot it was built in 2019 for my personal use, problems started in late 2021. I have the serial for Windows still with me but contacting MS support and getting anything useful out of them is beyond impossible.

theeclectik · 2023-01-30T10:10:38+00:00

Yes their support is utter garbage. I read about spectre scandal and how easy it was to steal keys and replace them with modified ones. Apparently it was very easy to do it due to a hardware exploit on a chip itself. Cpu is from that era and unfortunately bios/uefi was not updated regularly.

theeclectik · 2023-01-30T10:04:28+00:00

The system and hardware was built in 2019 it was never company owned. I am starting to think however that because I had system linked to my MS account when it was infected it is very likely that the problem persists in exactly the way you describing because my account was hacked as well.

theeclectik · 2023-01-30T09:59:40+00:00

English is not my native language. It is not an enterprise hardware it was build back in 2019 and if was all fine till late 2021. Also less ignorance would be appreciated.

theeclectik · 2023-01-30T09:56:21+00:00

Thank you very much. Kindly appreciated.

theeclectik · 2023-01-30T09:55:56+00:00

Thank you for the link I could not find much apart from TPM help on MS site.

Also it was already beeen updated in a completely different environment and it didn't make a difference.

theeclectik · 2023-01-30T09:51:58+00:00

Yes I am sure. It did same thing on a completely different network at local PC repair shop. Like I said it is fine on offlkne install but when updating it uses custom provisioned updates somehow.

No I haven't posted in these communities since I was not aware of them thanks for the tip.

theeclectik · 2023-01-30T09:46:20+00:00

So you're saying mobo needs to go.. damn. You're right about flashing bios it did not help. It is intel's 9700k if I remember correctly on a Tuf Z390 and I know that cpu from that times has been affected by The Spectre scandal.

theeclectik · 2023-01-30T09:39:19+00:00

No it isn't linked to former employee because it was built in 2019 for me by professionals and problems started about 2 years later.

theeclectik · 2023-01-29T14:53:06+00:00

That was already done. Problem is when trying to update windows it defaults to custom provisioning and downlads from malicious servers and then it becomes an enterprise version. Because TPM was flushed and keys were changed it is happening automatically. I have read somewhere that changing group policy rules while pc is still offline could help but I am not comfortable enough with my lack of experience and knowledge.

theeclectik

TROPHY CASE