Hacked and unable to clean pc

Occasional Contributor

Good Morning

 

Approx 8 PC's have been hacked as I have tried to restore them but the worm or whatever is installed/affecting them is still on the pc .  Large amounts of data are shown downloaded via the router ( PC to bad guy internet address ) 

Started infecting pc's at one site and over a vpn connection and then downloaded itself to another site affecting all of these pc's 

 

I have been working with Norton to eradicate this but they cannot find any sort of a virus as they recommended coming here ! 

User admin credentials changed , large downloads , Remote access shut off but they still connect , nefarious bad guy IP's are set to connect ( netstat -abn  shows them connecting are various times and places data lost ) . I know they have gotten in and somehow rewriting possibly by powershell changes that affect the users and other areas !  I put the most of tghe collected troubleshooting data/info I could up on Norton forums (https://community.norton.com/en/comment/8538567#comment-8538567)

 I have been working on this for a few months now and after several restores whatever is on the pc does not get removed ! Built firewalls and they work around it , blocked remote services ( tons of tasks etc. shut off) and they work around it . My wife's laptop set up an admin and user account after a restore and they removed the admin account and now we cannot log in - only on the standard account . It seems to have something to do with office , click to run , edge , outlook as I see activity here but am unable to pinpoint . Hx Tsr ? but unable to id this file nor anti virus never picked it up , Security logs in event viewer show changes I think by powershell . No idea how they get in . I am going crazy trying to id this but more importantly after a restore/ remove all files whatever is on the pc does not get removed and they never go away still donw3loading and rewriting pc data 

 

What I found was that the restore/remove does NOT rebuild the code just removes possibly user data and a few other areas ( not a major rebuild ) . Without a disk I am stuck as I cannot reset to factory as I am learning as I go !

5 HP latops and desktop  1 Lenovo gaming pc and one other type of pc ( 2 gaming PC'S that support video and security cameras )

 

Ran ALL sorts of anti virus /scans etc. from Norton and a couple of recommended Microsoft scans form the tools page and found nothing 

HUGE amount of time working on this to resolve but reaching out for help ! 

Reaching out as I am unable to move forward - desperate ! 

Any help would be seriously appreciated !

 

Thx

 

Regards


Rich

 

 

10 Replies

Hi @merlin02131 

Please perform a scan with this Microsoft tool, first on one computer, I wonder if it detects the problem?

Microsoft Safety Scanner Download | Microsoft Learn

@Andrzej1 0

 

Hi Andrzej1

 

Thx for the reply

 

Did that a while ago and found nothing as right now this has been undetectable for over 2 months trying to find it but has been on the PC's a lot longer 

 

Every Anti virus / Disk tool/ scan tool I have used has come up negative

I am starting to think about either BIOS or Memory but have no clue how to check it 

 

Any help would be greatly appreciated !

 

Thx

 

Regards


Rich

 

@merlin02131 

Please see this article:

Deep Packet Inspection - GeeksforGeeks

Pharming Attack Prevention and Examples - GeeksforGeeks

Is your Norton - a free package?

Do you have kernel integrity enabled?

Do your cameras have IP?

Do you use a VPN?

Change TCP/IP settings - Microsoft Support




Good Morning and Thx for the reply
Is Norton free ? No full subscription running since day one
Do you have kernel integrity enabled ? Not sure as never heard of this
Do your cameras have ip ? Onsite yes at my house just pc cam
Do you use a vpn ? Yes on both the sites I connect to

Regards

Rich
Reviewing this - Thx !

@merlin02131 
As you've said you've done a restore/recovery I am guessing by that your saying that you've done a PHYSICAL reformat of the Hard Drives and restored from external media that has never been in any infected PC? As a restore from an infected PC's 'Restore' partition has the potential to not be clean.

If that is the case, have you investigated the possibility that your machines have been infected at the BIOS/ME level by one of the CPU level exploits, which Depending on the make/model of the machine there is the possibility that one of the security vul's that were patched by either Intel or AMD has been impacted, in this case your solution would be to check the MB manufacturer and see if there are any updates for both the BIOS and ME (if it's intel i'm not certain what AMD call it). 

 

If your working with Nortons, ask them if anything they have done has checked these areas to see if they have been infected, people forget that there are actually 2 'computers' on every one of our machines in the modern era, the ME and UFI and then the actual 'main' computer.

 

-Rob

@Robert_Grahamhi Robert thx for the reply ! I have  restored via the windows process from local to cloud restore and everytime it leaves remnants of the previous install . I have started with all anti virus companies Norton malware bytes defender one eset and no help . Also tracked this darned virus into processors etc and unable to find anything out of ordinary . Reached out to all the vendors with open tickets except Microsoft and am waiting for HP to call . Ungodly hours in looking at this ad it’s now beyond my abilities !  8 computers and god only  knows if my firewall router tv and other devices are affected as well ! In house lab ! 

@Merlin1350 So if it's a ME exploited virus then you will not be able able to get rid of it with out patching the ME exploit, its part of the reason that you need to keep on top of the cpu etc updates, then there is also the chance that you've had a shadow remote system etc etc..

 

Your best bet is to isolate each machine, and do a clean media install, no backups just clean straight media.. and check on a clean router/switch.. Also check those and make certain nothing is using those which shouldn't be.

 

Your other option is if you can see the IP that is being transmitted to, lock that down in your routers firewall, literally block it, not a perfect solution but at least a temporary one.

@Robert_Graham thanks for the quick reply ! There must be over 75 ip addresses stored somewhere on the pc as I cannot find anything ! I am looking for a windows 11 pro disk now as I reached out to a few local friends for help ! Good advice as I am working with opening a ticket with the router firewall company now as we speak ! Also going the mfg route as we speak ! As far as I know everything is at the latest as I spent most of yesterday reviewing !