Forum Discussion

merlin02131's avatar
merlin02131
Copper Contributor
Dec 20, 2022

Hacked and unable to clean pc

Good Morning

 

Approx 8 PC's have been hacked as I have tried to restore them but the worm or whatever is installed/affecting them is still on the pc .  Large amounts of data are shown downloaded via the router ( PC to bad guy internet address ) 

Started infecting pc's at one site and over a vpn connection and then downloaded itself to another site affecting all of these pc's 

 

I have been working with Norton to eradicate this but they cannot find any sort of a virus as they recommended coming here ! 

User admin credentials changed , large downloads , Remote access shut off but they still connect , nefarious bad guy IP's are set to connect ( netstat -abn  shows them connecting are various times and places data lost ) . I know they have gotten in and somehow rewriting possibly by powershell changes that affect the users and other areas !  I put the most of tghe collected troubleshooting data/info I could up on Norton forums (https://community.norton.com/en/comment/8538567#comment-8538567)

 I have been working on this for a few months now and after several restores whatever is on the pc does not get removed ! Built firewalls and they work around it , blocked remote services ( tons of tasks etc. shut off) and they work around it . My wife's laptop set up an admin and user account after a restore and they removed the admin account and now we cannot log in - only on the standard account . It seems to have something to do with office , click to run , edge , outlook as I see activity here but am unable to pinpoint . Hx Tsr ? but unable to id this file nor anti virus never picked it up , Security logs in event viewer show changes I think by powershell . No idea how they get in . I am going crazy trying to id this but more importantly after a restore/ remove all files whatever is on the pc does not get removed and they never go away still donw3loading and rewriting pc data 

 

What I found was that the restore/remove does NOT rebuild the code just removes possibly user data and a few other areas ( not a major rebuild ) . Without a disk I am stuck as I cannot reset to factory as I am learning as I go !

5 HP latops and desktop  1 Lenovo gaming pc and one other type of pc ( 2 gaming PC'S that support video and security cameras )

 

Ran ALL sorts of anti virus /scans etc. from Norton and a couple of recommended Microsoft scans form the tools page and found nothing 

HUGE amount of time working on this to resolve but reaching out for help ! 

Reaching out as I am unable to move forward - desperate ! 

Any help would be seriously appreciated !

 

Thx

 

Regards


Rich

 

 

  • Robert_Graham's avatar
    Robert_Graham
    Copper Contributor

    merlin02131 
    As you've said you've done a restore/recovery I am guessing by that your saying that you've done a PHYSICAL reformat of the Hard Drives and restored from external media that has never been in any infected PC? As a restore from an infected PC's 'Restore' partition has the potential to not be clean.

    If that is the case, have you investigated the possibility that your machines have been infected at the BIOS/ME level by one of the CPU level exploits, which Depending on the make/model of the machine there is the possibility that one of the security vul's that were patched by either Intel or AMD has been impacted, in this case your solution would be to check the MB manufacturer and see if there are any updates for both the BIOS and ME (if it's intel i'm not certain what AMD call it). 

     

    If your working with Nortons, ask them if anything they have done has checked these areas to see if they have been infected, people forget that there are actually 2 'computers' on every one of our machines in the modern era, the ME and UFI and then the actual 'main' computer.

     

    -Rob

    • Merlin1350's avatar
      Merlin1350
      Copper Contributor

      Robert_Grahamhi Robert thx for the reply ! I have  restored via the windows process from local to cloud restore and everytime it leaves remnants of the previous install . I have started with all anti virus companies Norton malware bytes defender one eset and no help . Also tracked this darned virus into processors etc and unable to find anything out of ordinary . Reached out to all the vendors with open tickets except Microsoft and am waiting for HP to call . Ungodly hours in looking at this ad it’s now beyond my abilities !  8 computers and god only  knows if my firewall router tv and other devices are affected as well ! In house lab ! 

      • Robert_Graham's avatar
        Robert_Graham
        Copper Contributor

        Merlin1350 So if it's a ME exploited virus then you will not be able able to get rid of it with out patching the ME exploit, its part of the reason that you need to keep on top of the cpu etc updates, then there is also the chance that you've had a shadow remote system etc etc..

         

        Your best bet is to isolate each machine, and do a clean media install, no backups just clean straight media.. and check on a clean router/switch.. Also check those and make certain nothing is using those which shouldn't be.

         

        Your other option is if you can see the IP that is being transmitted to, lock that down in your routers firewall, literally block it, not a perfect solution but at least a temporary one.

Resources