RDP Hack turned WIN10 Home Version into VMAzureActiveDirectory Puppet

[Narcosleptographer]

Unable to reinstall Malwarebytes Premium(which I have had for several years) at this time, lucky I was able to get FRST64 to install and run. Have crashed and reinstalled windows 30 some times over the last year , logged into my router settings to change admin name and password and gone through its settings to secure it better, tried every damn thing and become an expert windows geek but not enough to rid myself of this curse. Even created new google acct & email and no longer associate my microsoft acct with every new drive wipe & reinstall, also have a new ssd but nothing has worked. Any help or advice on where to go now is greatly appreciated as this is effecting my ability to work. thanks and HELP!!

FRST.txt Addition.txt

[Maurice Naggar]

Hi,    

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.    

Please only just attach   all report files, etc  that I ask for as we go along.

 

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
 

[Narcosleptographer]

thank you for your assistance & timely response , I did as you instructed and below is the log file produced. I run a remodeling/construction company I own & work long hours so my responses may be slow but it does not mean i am not interested in your help , I wont let more than one day pass with out responding as I know your time is valuable & 2 or 3 days with no response results in the thread being closed . thank you for your time & willingness to help. my name is Taylor. lets see what we can come up with my friend.

mbar-log-2020-12-07 (22-19-43).txt

[Narcosleptographer]

also I will be making no changes whatsoever to my laptop or os that you do not instruct me to do. thanx.

[Maurice Naggar]

Hi Taylor.   Thanks for your notes, and for the MBAR report.  I am glad to see that the MBAR tool found no rootkit infection.

The Windows 10 operating system version is out of support-life coverage at Microsoft.  The version/build is from the Spring of 2019.   And in the near term, one of your goals needs to be to get it updated thru Microsoft Windows Update to the latest release version, which is named 20H2   ( the fall, October/November 2020 update).

You also mentioned that you have had no luck to re-install Malwarebytes for Windows.  I can guide you on both issues.  Hopefully we will have good luck.

What I would like to do at this point is to run a special custom script.   The goal being to run the Windows System File Checker tool and to pave the way for a future Windows Update run.  There are 2 old-ancient Windows services named USOSVC from years ago & which are not needed that will be removed.  It is possible they are the source of the odd info about the operating system.

This run will also provide a visual display for only 8 seconds of a screen about Advanced start options for Windows 10.  Do not be spooked about that.  It will show for only 8 seconds and then time out and go away.   Just let the display time out each time you see it on a machine restart.  I am placing it just in case for possible use if you find a hard time to start Windows in regular mode.  All this to say, this is a good thing.  Let the display time out.  You may also tap the Enter key to have it go forard in the future.   ( You will only start seeing that after the next system Restart.).

.

 

The system will be rebooted after the script has run.   Pick a time during the day when you will not need the machine for say 30 - to 40 minutes at tops.

.

This custom script is for  TAYLOR  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRST64   tool   which you have on your Desktop folder.

Please save the (attached file named) FIXLIST.txt   to the  Desktop  folder   

Start the Windows Explorer and then, to the Desktop   folder.

RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

[Narcosleptographer]

Thank you, I will run the script as you have instructed. I am wondering though if you are seeing what I am seeing in the log file from my last reply, it said I have windows 8 , which I never had. this windows install is from a usb windows 10 home version I bought summer of 2019 at best buy , the box say WIN HOME FPP 10 P2 W106796. running the fix now.

[Narcosleptographer]

here is the log from the fix, I would note that I had to reinstall FRST64.exe as the install I had at the beginning of this thread mystyeriously disappeared and when I ran it as admin the fist time(to run the fix) it notified me it did NOT update but did run the fix. several things had been changed on my laptop during work besides that yesterday or last night all prior to me running the fix. not sure what the result of the fix is as I am of to work and wanted to post the fix log before I let the pc/fix restart in case I cant get back on to post it. we will see this evening.......thanks ,     Taylor

Fixlog.txt

[Maurice Naggar]

Well done.   Thanks for the report & for doing the script run.

As to your prior note, I am unclear as to where you saw some mention of 'Windows 8'.  However, the FRST does show that this is on Windows 10  & so does the fixlog.

Now, as I said, the Windows 10 version is one that needs very very much to be upgraded to the very latest Microsoft release version.  

To get better prepared for that update, we should have you get a Microsoft Service Stack Update. This is the November 2020  S S U  for your current version

The title is 2020-11 Servicing Stack Update for Windows 10 Version 1903 for x64-based Systems (KB4586863)

Download and save the file from Microsoft,  saving it to the Desktop    

windows10.0-kb4586863-x64_320630e7f8765a00c86d2669399889b2363d6d05.msu

Once the download is fully completed, go to that file on the desktop.   Then do a RIGHT-click on it with your mouse & then select 

OPEN

Then follow all the prompts & let it proceed.   Let me know when this is all done.   We will do more later to do further Windows Updates.

By the way, the means to view the Windows version & build number is by typing into the Windows search box 

winver

and click on the line with the WINVER run command.   Then look at the displayed mini-window

As I have noted, Windows 10 version 1903 is obsolesced.   I will guide you further.

[Narcosleptographer]

• mbar-log-2020-12-07

[Narcosleptographer]

windows 8 x64 NTFS   Internet Explorer 11.239.18362.0    you dont see this info at the top of the mbar log 2020 12 07 ?????????

[Maurice Naggar]

The FRST report showed 

Quote

Windows 10 Home Version 1903 18362.239 

There is a inconsistency here.

We can run a couple of report sets and get information about the  current status  Windows.

This tool will run in Windows , even if you have to do it through an elevated command prompt.

 

1: Please download & Save DDS from this link  and save it to your desktop:

 

Don't click any flashing ads  ( if any show up).   The download will begin on its own thru your browser.

 

2: Before running DDS, please disable any security software (excluding Malwarebytes ). If you are unsure of how to disable your security software, please skip this step and continue without doing so.

 

3: RIGHT-click dds.com and select OPEN.  (If prompted,  reply YES and allow the tool to run.)

Next click the Start button.

 

This scan will produce 2 logs, DDS.txt and Attach.txt, and save them to your desktop.

When the report has finished, the 2 report files will show in your default text application.

Just Close those 2 windows.

 

4: Please attach the two logs created to your next reply.   DDS.txt and Attach.txt

 .

This next diagnostic will shed some lights about the Windows Update service state.

Download   Farbar's Service Scanner utility from this link

 and Save to your Desktop.

 

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

 

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

 

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Attach FSS.txt into your reply.

 

[Maurice Naggar]

Hi.  One other thing beyond the above things.      would like to simply just get a plain MSINFO report from this machine. 
Would you please go to the Start button and then the RUN option. ( Windows-key + R key ) 
type in 

msinfo32

  

and tap Enter-key. This starts the Microsoft System Information tool. Allow enough time for the applet to load and finish. 
 
Look on first screen on the menu bar. 
Select File > EXPORT ... 
then provide a meaningful file name and save that. Then also attach that files in a new reply 

[Narcosleptographer]

dds.txt attach.txt msinfo32Taylor.txt

[Maurice Naggar]

Thank you so much for all these reports.  They help because they confirm the Windows operating system version.

MSINFO32 which is the built-in applet in Widows itself, reports  

Quote

OS Name    Microsoft Windows 10 Home    Version    10.0.18362    Build 18362    

The DDS report tool reports  

Quote

Microsoft Windows 10 Home  10.0.18362.

This , along with the info from the FRST, confirm the operating system to be Windows 10.   But it should be noted that the MSINFO is very definitive since that is from the OS itself.

Now it needs to be emphasized, that this build of Windows 10 is past its "good-thru-date" at Microsoft.

Build 18362  is the build from Spring 2019   and falls out of MS support on DEC 8, 2020.

I would re-suggest to do the small Update from Microsoft that I laid out last Wednesday

https://forums.malwarebytes.com/topic/267622-rdp-hack-turned-win10homeversion-into-vmazureactivedirectory-puppet/?do=findComment&comment=1426239

NOTES:  The DDS report does not show a malware infection.   After this update is done, let me know all the result.  Presuming that goes well, we will next do a more significant update for the Windows 10 OS.

Thank you.    Sincerely.

[Narcosleptographer]

ok but that does not answer nor speak to the question I asked which was, do you see the mention of windows 8 in the dds report? also of great concern is the 254 events in the event log that show "activity/transfer" in the windows remote management service which I have previously disabled in the registry with a D-Word value of 4 in the startup type. in some of these 254 events , some make mention of a remote destination pc as well as IIS and .NET references , both of which I previously "turned off" in "turn windows features on or off" from the uninstall programs/control panel option.  look I get it , my pc is WAY out of date, I am reinstalling windows from a 2019 version on usb and have been every week now for over a year now. I also get that your interest and expertise' is windows update, but I can never get around to updating my system due to a breach in my security. I also get that breach isnt malware , it is some hacker using legit apps and processes to redirect my system resources for his/her criminal purposes which is why you could light a smoke off of my laptop cooling fan exhaust while my 8Gb a ram is at 58% use with NOTHING running but taskman and my i7-7700 2.8Ghz 8core CPU is at 45% while overclocked(not by me) up to 3.8Ghz with all 8 cores , all of them just burning the heck up ? thing is that I been a paying customer of malwarebytes premium service for almost 4 years and have not once had it detect a single issue before my os just vanishes without a trace leaving me lost in cmd.exe in drive X:/> wondering where my entire system went, so many times I lost count after reinstall #65 in september. so maybe you could give me a bit of a long term plan or end game you are working towards because it sure seems like you are taking me down the path of "we just need to get this paranoid pc illiterate cluck to update his os and install security software so he can safely go back to surfing porn" but this is or was my business laptop, I have a desk top that I surf all my porn on and it never crashes, only the newer faster pc with the important bank account, mortgage payment, amazon account, credit card info on it. I have had to contest charges on my credit card a dozen times, 3 of which I had to get new cards with new numbers, had to change account #s at the bank twice and wait the 7 to 10 days for a new debit card all whilst having NO DEBIT card to use. not sure if I am accurately communicating the situation I find myself in or just coming across like I am bitching you out? I hope it is not the latter , because I also get that your intent is to help me so I have no desire to misdirect my frustration with my current os issues towards you, I do appreciate your time and efforts, truly. just like to see some action in a direction that confirms you are hearing me and seeing what I am seeing? see if I can attach the event log for you..........not sure if it will be of any help? sorry about venting at you.     Taylor

EventLogForMaurice.txt

[Narcosleptographer]

also worth noting , when I go into WMIC from CMD and enter "loadorder , the first thing listed is EMS ? should Emergency Management Service be the first module loaded at startup? is that normal? also file virtualization and scsi miniport and PnP_TDI and what the heck is "NetDDEGroup" ? just currious when the last one nothing comes up from a google search, but then the results of my searches are being redirected as none of the results I ever get any more are newer then 2013, weird huh ? there aint many folks I wanna do bad stuff to , but this hacker clown sure is one of them !!    Taylor

[Maurice Naggar]

Allow me to point out a few things.  All this meant to help you !  You asked

Quote

do you see the mention of windows 8 in the dds report?

Answer:  In fact the DDS report does show that this operating system is Windows 10  !!!  It reported 

Quote

Microsoft Windows 10 Home  10.0.18362.

To your saying  

Quote

 I am reinstalling windows from a 2019 version on usb and have been every week now for over a year now.

If you have been doing that since this case opened  .....That is not advised.  What you have got on that USB is way way out of date.

I have trying, really trying, to help and guide you to getting this system properly updated from Microsoft.

I am a volunteer here sincerely trying to guide you.  If you are not inclined to follow my guidance, then I do regret that  and I will have to drop out of this case.

 

[Narcosleptographer]

3 hours ago, Maurice Naggar said:

 

I have trying, really trying, to help and guide you to getting this system properly updated from Microsoft.

 

 

I dont need help updating my system, it was updated when I first got hacked. I need help removing a breach in what was my updated "secure" system and the damage to my system and privacy/security. maybe a malware removal forum isnt where I should seek help as it obviously isnt malware I am dealing with, but a hack which uses legit windows app modules and services/processes to circumvent even updated systems with premium security? one last thing, I followed your guidance exactly and did every thing you instructed me to , when you instructed me to. but you wanna bail out on me that is your choice, as you said, you are a volunteer. thanks for your time and efforts anyways , I do appreciate it.           peace out    Taylor

[Maurice Naggar]

The build of Windows on this system is out of date.   Windows 10 Build 1903 is from the Spring of 2019  and Microsoft lists it as out of service life as of December 8, 2020.

I have relayed that to you before.   This system as it is now will not be getting security updates from Microsoft.  Further to that, there have been 3 newer versions of Windows 10 since that release ( the one on this machine now.).   Thus this operating system is still out of date .

Consumer editions ( whether Home or PRO ) are supported by Microsoft for 18 months.   After that period, they are out of support.

The following is what Microsoft has to say.

Quote

Current status as of December 8, 2020

As of December 8, 2020, all editions of Windows 10, version 1903 and Windows Server, version 1903 have reached end of service. Devices running these editions will no longer receive monthly security and quality updates containing protections from the latest security threats. We recommend that you update these devices to the latest version of Windows 10 immediately.

See https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-1903

Further,  you can check for yourself on your machine as to the version of Windows.  Go to the Windows search box.   Type in

WINVER

and click on WINVER.   Look at the mini-window shown for the information about the Version and Build.

That is really important.  

As to suspected infection,  The run of the Malwarebytes Anti-rootkit  ( MBAR)  reported no infection,  We can do more checks for other potential  malware later,  but it is very critical at this point that you get this Windows operating system up-to-date simply for the security implications.  And if you are not inclined to follow guided help,  then I must respectfully disassociate from this case.

I wish you well.

 

Edited December 13, 2020 by Maurice Naggar

[Maurice Naggar]

Good morning.  I hope you are doing well.
You mentioned that you had a USB-flash-thumb drive that you had been using.  Here is how to have it newly refreshed with the latest from Microsoft.  Follow the article at Bleepingcomputer below the section titled  "How to upgrade to Windows 10 for free"
https://www.bleepingcomputer.com/news/microsoft/you-can-still-upgrade-to-windows-10-for-free-heres-how/

After you have done that, let me know & we can do some other checks to review this system,

[Maurice Naggar]

Hello.  You have written to say that the Windows 10 Operating version is at the very latest released build.

What other updates are you now referring to ?

Do a new Windows 10 >>  Settings >> Update & Security >>> Check for Updates.    what does it show ?

and if you look real close, you should see a blue-colored line "View Optional Updates".   You can click that and see what is listed, if anything.