Share via

pretty sure i have a malicious boot kit. It has changed the startup following bios to get database info from one drive. Can anyone provide advice as to how to recover the original boot setup?

Anonymous
2023-04-19T05:26:34+00:00

i have located the MBR and checked the size of the 4 partitions. partition 1 is 2TB, while the other 3 are empty. My guess is the information to access the database is here.

I have tried reset.

I have tried MCT on a new hard drive

most recently i noticed my phone and tablet, both samsung have something wrong too, they cant tell me what version of the operating system they are running.

I just bought a new computer. Took the WiFi and Bluetooth module out of it. New screen. new keyboard and mouse. a dlink usb wifi (to remove bluetooth as i think Bluetooth LE is the way it is spreading to other devices.) and a new wireless internet connection. Within an hour (even with all other devices on airplane mode) the new computer was showing same symptoms as old computer.

The malware adds users, gives permissions, sets groups and group policy then logs new user off. I don't have control of a new computer that is only a day old.

My latest idea is to reflash the bios, and wipe windows 11 and reinstall, but im sure the one drive database will still get called. I can see about 3 flashes of a cmd or powershell screen occur just after the logon page, and no matter what i have done all settings revert.

also

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

9 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-04-23T08:05:21+00:00

    Hi Greg,

    no one reinstalled the legacy boot, but upon doing forensic tests I noticed the first partition in the MBR was linked to a 2TB storage capacity.

    Straight out of the box, a new install of Windows 11 on a brand new computer, with all peripherals being new as well, including the wireless hotspot and wifi dongle (I removed the combination wifi / Bluetooth module) with no devices previously used in the old infected computer in the same room and all on airplane mode. In less than 30 minutes and I could see the same symptoms happening.

    I have reinstalled it with a clean MCT USB, after wiping the disc.

    symptoms are user account control adding users, giving permissions, adding to groups, and enforcing group policy, effectively shutting me out of the computer. If I try to stop any of it, the permissions are taken away for event viewer and firewall management.

    WinRE repair mode won't run.

    the bootrec.exe was run.

    bootrec /fixboot gave a return of access is denied.

    Im a hybrid node... so a remote device is in control

    I have put more information on another version of this question on the Azure support page as I found logs with Azure and TEE management in them. I took drastic steps to keep this computer separate as when I bought a new computer a few years back this bot or whatever it is instantly moved to the new computer that time as well. So if able to find a fix, I will have 3 computers...

    I can't believe it made it to the new computer without any direct contact with devices I assume are infected too. The phone and tablet are both Samsung and are not able to tell me which Android version they are running, so I know they are infected too.

    Any ideas besides the clean install, as for me that solution unfortunately doesn't work.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2023-04-19T11:50:31+00:00

    Most of it went well. The final command bootrec /fixBoot was denied access.

    I rebooted and then ran the final two cmds. again some were denied access...

    Was this answer helpful?

    0 comments
  3. Anonymous
    2023-04-19T11:44:01+00:00

    Yes please and update me so I can go further with you :)

    Was this answer helpful?

    0 comments
  4. Anonymous
    2023-04-19T10:16:21+00:00

    Thank you Nada for replying.

    I will look at the link just now. It appears to be management software like azure AD maybe, i dont know the Azure suite at all, but i am self employed so shouldnt be being managed!

    just a little more reading and I found out that bootloaders and other important areas like secure boot and TPM are manipulated by Azure attestation processes...Do you know anything about this???

    Also the persistence comes from the MBR which disguises part of itself as GPT so isnt recognized. Thats all good for within the local machine, but how did it infiltrate a new computer that has not been connected to any previously "infected" devices? I removed the bluetooth and wifi combo, but added a usb wifi, so without authorization it must of connected to a phone or tablet.

    Im thinking i need to completely clean housee, get new devices all at the same time or it will return

    Anyways, ill go research the link you provided.

    Was this answer helpful?

    0 comments
  5. Anonymous
    2023-04-19T09:56:57+00:00

    Hello TreborSan,

    My name is Nada I'm here to help you.

    I'm sorry that you are experiencing this issue, and I will try my best to assist you.

    I strongly suggest that you repair first the MBR of your Windows operating system. To do this, you may follow the steps found when you access the link below.

    https://www.thewindowsclub.com/repair-master-bo...

    Please let me know if anything is unclear or if the issue is still unresolved.

    _________________________________________________

    Note: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    Was this answer helpful?

    0 comments