Jump to content

Infected with a persistent infection that persists through nuke and boots


Recommended Posts

Hello there, new here. I have been struggling for quite awhile with a persistent infection that seems to persist through a full restore, clean boot, nuke and boot ie wipe and reformat SSD, wiping and using windows media recovery, OEM installer USBs, recovery media CD roms created from windows ISOs directly from within windows media creation manager, even through replacing physicical components such as GPU, CPU, PSU, RAM, SSDs,and Motherboards. The Symptoms have spanned across multiple windows based devices for going on 12 months now of around 16 hours a day working a Enterprise & SMB vCISO, Cybersecurity researcher and SaaS development position on the machine left standing throughout this infection, and simultaneously fighting against this intrusive infection that seemingly resembles a UEFI level bootkit.

The symptoms take place at boot time and worsen once the OS loads to the desktop of local Admin; a CMD window pops up as windows boots to desktop. MBR repairs fail and the MBR is seemingly corrupt when scanning. 'FixBoot commands fail with access denied or other random errors.  SFC scans fail with the system could not perform the requested operation errors in both clean boot, safe boot and standard OS mode, PATH issues occur, and access denied errors start occuring on stuff it shouldnt. There will be rogue User mode, per user services running, seen in the task manager for AarSvc, BluetoothUserService, CaptureService, cbdhsvc,CDPusersvc, consentuxusersvc, CredentialEnrollmentManagerUsersvc, DeviceAssociationBrokerSvc, DevicePickerUserSvc, DeviceFlowUserSvc, and OneSyncSvc on a fresh boot as soon as the desktop loads after a wipe and reinstall through recovery media. Booting into admin elevated CMD and running a basic "taskkill /f /pid [usermode service PID] often fails with access denied on these usermode per user services listed as AarSvc_27fh or some other random identifier string (which changes each boot or each time the file is created) Setting userserviceflags with a hex value of 0 in registry under the template for the user mode services prevents the running of these services but the workaround is spotty and from time to time they are seen running again. I have utilized startup scripts scheduled in task scheduler to disable these services on startup  as a minute workaround as well.  The clock of the OS is set to pacific time though I am in central time zone. The stock edge browser seemingly has spoofed foreign results from other countries in chinese or japanese as do any other mainstream browsers tried such as firefox, chrome etc.  Often times programs used often will be blocked from download after an issue was caused with the program. (example, I download steam.exe  install it login and play a game, try launching steam the next day only to find unsolvable errors requiring a reinstall, attempt to reinstall steam from the official source once again and get "network errors" or a plethora of defender blocked this download errors. Attribute this pattern to all programs used often). frequently the iconcache.db is corrupt or missing. attempting to use tweaking dot com windows repair x64.exe with my technician key to repair isntances of issues with  windows updates resulted in access denied errors on resetting WMI when running Tweaking from a system level using another tweaking.exe process >run program as system. As local admin I have also had "Access denied errors" There are seemingly issues with the onboard network interfaces at boot and no matter what a full network stack reset has yet to be succesful. DISM scans tend to find nothing wrong. Malwarebytes, Windows defender, roguekiller, and even adwarekiller found nothing even on deep scans and allowing rootkit scans within malwarebytes settings. 

 

FRST_31-03-2023 23.59.21.txt Addition_31-03-2023 23.59.21.txt Shortcut_31-03-2023 23.59.21.txt

Link to post
Share on other sites

Oops, Sorry kind people, I forgot to add a few symptoms observed.

Often when a network issue is witnessed, ie the network seems to drop during a download of a game or program, I will navigate to the settings menu through the start menu and choose "network settings" hoping to address the network interface through network settings, but the network settings page opens then closes. Attempting to reset the IP stack or running even a meager "netsh int ip reset ipv4 all " command in an elevated CMD window as the local admin results in access denied erros unless the related security registry key is deleted and even then performing the same command on ipv6 fails with access denied no matter what I try preventing a full network stack reset throughout the course of the observed symptoms. Buffer overflow warnings in dialog boxes are spammed for multple background tasks when embedded mode is disabled and background app usage is disabled in settings, and shortcuts on the desktop will be moved to a new location on the desktop on reboot. Often searching in %%systemroot%% via elevated cmd to delete malicious files, via myself or tweaking repair scripts will get file not found unless copy/pasting the path directly.  Winget is not identified as a command when running winget via elevated powershell to uninstall unwanted programs and I am not prompted to install it. when attempting a "attrib -s -h -r /s /d *.*" command, followed by a "dir" command in an elevated CMD prompt as the local admin, to attempt to manually remove any nefarious or unwanted files, I notice certain files used for keyloggers and other payloads verified through sources like virustotal etc. (example logger file found in this manner - hh.exe. Removing them is impossible in example, with a "del hh.exe" command which will result in access denied errors. 

Link to post
Share on other sites

And perhaps the most important observation from a security standpoint, The PC upon fresh install of Windows using recovery media of any kind will be enrolled in MDM Intune, and Enterpise level office 360 suite loads onto the device though the device has been rebuilt completely with new parts and components even a new OEM installer USB used to install the clean OS. There is no intune enrollment of this device on my end being performed by myself, and the only domain it COULD be enrolled in for our organization has been purposefully allowed to lapse. 

Link to post
Share on other sites

  • Root Admin

Hello @HelloSecurityWI

I don't have time to assist right now, but my guess is that it's because you did not opt to install using a LOCAL account and your Microsoft Online account (that it defaults to) finds and Syncs your Intune stuff.

 

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

I should be available on Sunday evening or back on Monday

 

Link to post
Share on other sites

On 4/1/2023 at 2:17 AM, AdvancedSetup said:

Hello @HelloSecurityWI

I don't have time to assist right now, but my guess is that it's because you did not opt to install using a LOCAL account and your Microsoft Online account (that it defaults to) finds and Syncs your Intune stuff.

 

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

I should be available on Sunday evening or back on Monday

 

Thank you for the reply, apologies on the delay, my malwarebytes forum password was changed on me since yesterday. I had to perform a credential re-roll

Link to post
Share on other sites

On 4/1/2023 at 2:17 AM, AdvancedSetup said:

Hello @HelloSecurityWI

I don't have time to assist right now, but my guess is that it's because you did not opt to install using a LOCAL account and your Microsoft Online account (that it defaults to) finds and Syncs your Intune stuff.

 

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

I should be available on Sunday evening or back on Monday

 

I apologize, I should have clarified, I am using a local Admin account vs a Microsoft account. The PC MDM intune enrollment continues on is using Windows 10 home. A Ryzen 5 ATX custom build. There has not been an enterprise OS build in place to allot for MDM Enrollment and initially the PC that did in fact have enrollment was 3 rebuilds ago, I am now using new peripherials and hardware components. Replaced RAM, Motherboard, SSDs, CPU, GPU, PSU, and fan ARGB controllers. 

Link to post
Share on other sites

  • Root Admin

The current installation from the logs shows that this version of Windows is quite old.  It was installed on 2019-12-07 about 3 1/2 years ago.

Not sure what you're wanting to do at this point based on an old Windows install but let me know.

Thank you @HelloSecurityWI

 

 

 

Link to post
Share on other sites

On 4/3/2023 at 1:03 PM, AdvancedSetup said:

The current installation from the logs shows that this version of Windows is quite old.  It was installed on 2019-12-07 about 3 1/2 years ago.

Not sure what you're wanting to do at this point based on an old Windows install but let me know.

Thank you @HelloSecurityWI

 

 

 

Hey thanks for the reply and again I must apologize, a SECOND password reset was required to login here and respond, even using keepass password manager. I guess my intention here would be to get one clean, up to date install as the install you mentioned is older, as in three years old, was created using windows media creation tool directly from the windows website, albeit with the infected machine bt the same seems to occur no matter the machine the ISO creation or USB recovery media is attempted to be made on. It always boots with the same signifiers of this bootkit. I would truly, truly appreciate assistance in getting a single clean up to date ISO installer burned to dual layer disc. 

 

In the past when attempting to use a USB OEM installer direct from windows (200$ apiece) the infection transferred to the USB and installed onto the newly configured OS, fast forward 3 of these OEM USBs and at least 5 different CD reader/writers with a plethora of boot discs (including one hirens boot disc it overwrote somehow). When attempting to use a CD/DV R/W to boot from ISO burned to dual layer disc, you can actually hear the disc being burned too pre install phase (before the TOSD agreement pops and you begin making choices to install the OS).

 

to clarify, this happens with clean boot, nuke and boot methods, upgrade in place, safe boot, factory restore prompted via elevated CMD, and anything else. 

Link to post
Share on other sites

  • Root Admin
8 hours ago, HelloSecurityWI said:

to clarify, this happens with clean boot, nuke and boot methods, upgrade in place, safe boot, factory restore prompted via elevated CMD, and anything else. 

I am not aware of any known bootkit or other infection that functions like that.

If it is as you say, then I would suggest you physically take the computer to a Computer Repair shop that specializes in security and have them assist you.

Best wishes and I hope they're able to help you with this.

Cheers

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.