C
coltongibson
Please forgive me for my lack of knowledge with some of this but Ive been dealing with this for days now I couldn't decide if I was just being paranoid or if there was actually something(or someone) that has hijacked my PC. I will Let the you all decide but to me this all seems bizarre.
I dont remember exactly how I stumbled onto this other than a few days ago my net was acting weird. im gonna list several event id codes but the ones that are the most troublesome to me are these:
event id 7034: The Windows Search service terminated unexpectedly. It has done this 349 time(s).
7023: The Windows Search service terminated with the following error:
The system cannot find the drive specified.
8033: The browser has forced an election on network \Device\NetBT_Tcpip_{A4658475-46E6-469E-BA87-CA74AAC1DF8B} because a master browser was stopped.
10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
4: Log Name: System
Source: Virtual Disk Service
Date: 12/23/2018 1:43:59 PM
Event ID: 4
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: LAPTOP-JME2E5FG
Description:
Service stopped.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Virtual Disk Service" />
<EventID Qualifiers="16896">4</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-12-23T18:43:59.172723000Z" />
<EventRecordID>3882</EventRecordID>
<Channel>System</Channel>
<Computer>LAPTOP-JME2E5FG</Computer>
<Security />
</System>
<EventData>
<Data>@2010001</Data>
</EventData>
</Event>
4799:A security-enabled local group membership was enumerated.
4672: Special privileges assigned to new logon. these 2 just keep repeating)
1500: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
100: Local Hostname LAPTOP-JME2E5FG.local already in use; will try LAPTOP-JME2E5FG-2.local instead(this error was caused by bonjour)
As Im Listing these it just hit me that these problems started occurring immediately after I got my laptop back from the HP repair shop.
I am running a hp notebook on windows 10.
The pc was generating new accounts constantly and apparently elevating these accounts above the one and only user(and admin) account on this pc. I've been getting denied access to more and more things.When I seen that bonjour was running an app on my windows pc it threw up a red flag and the app it was running was a DNSresponder. However the issues have only gotten more bizarre. MY net kept kicking me off so I logged onto my mothers asus laptop(win8) to see if the problem persisted on hers. it did.
After a quick check to see which wifi network i was on it was giving me my wifi address+2. Something was forcing my moms laptop to connect to the internet via my computer even tho all options for sharing my net connection were turned off. In Network and sharing center it shows this pc being connected to a private network yet all other signs were indicating I had somehow became part of a workplace network. When I open event viewer theres a custom log named "Server". So after a little digging using cmd (and later powershell) it turns out yes I am indeed acting as a server or something and there is a partition on my HDD that is hidden.
Also this two pcs are the only devices on this network that arent running IOS and the only two that were infected.
Then I found a .txt file inside a hidden folder titled "REGFLUSH": rthat contained the following:
RegFlush> Starting...
RegFlush> attempting to flush ->HKEY_CLASSES_ROOT
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_CURRENT_USER
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_LOCAL_MACHINE
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_USERS
RegFlush> Successfully flushed
RegFlush> Done...
After digging around theres lots of weird stuff in these multiple hidden files. one txt list my OS as windows_NT, My Platform as mobile, my ram as 8gb(its only 4)and my I have zero windows credentials. then I found the policy definition scripts... C:\Windows\PolicyDefinitions is a folder full of .adml files that force different policies. one in particular was a script that was forcing me onto a domain which in turn forced me into a workplace. Then the script told itself to connect to all other devices within the workplace(naturally) in turn infecting every other device that seemingly isnt Mac.Heres the script for that:
<?xml version="1.0" encoding="utf-8"?>
<!-- (c) 2013 Microsoft Corporation -->
<policyDefinitions xmlns:xsd="XML Schema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="10.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
<policyNamespaces>
<target prefix="WJ" namespace="Microsoft.Policies.WorkplaceJoin" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<resources minRequiredRevision="1.0" />
<categories>
<category name="WorkplaceJoin" displayName="$(string.WJ_WorkplaceJoinCategory)">
<parentCategory ref="windows:WindowsComponents" />
</category>
</categories>
<policies>
<policy name="WJ_AutoJoin" class="Machine" displayName="$(string.WJ_AutoJoin)" explainText="$(string.WJ_AutoJoinExplain)" key="Software\Policies\Microsoft\Windows\WorkplaceJoin" valueName="autoWorkplaceJoin">
<parentCategory ref="WorkplaceJoin" />
<supportedOn ref="windows:SUPPORTED_Windows_6_3_NOARM" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
</policies>
</policyDefinitions>
The list goes on and on. Things like hideunctab in search.
pushtoinstall-Disabled
POWERSHELL: enable module logging-enabled
remote execution policy-enabled
EnableScriptBlockLogging
EnableScriptBlockInvocationLogging
EnableUpdateHelpDefaultSourcePath-SourcePathForUpdateHelp" valueName="DefaultSourcePath" required="true (its a loop?)
Windows Defender:
VirusThreatProtection_UILockdown
VirusThreatProtection_HideRansomwareRecovery
FirewallNetworkProtection_UILockdown
AppBrowserProtection_UILockdown
AppBrowserProtection_DisallowExploitProtectionOverride
DeviceSecurity_HideTPMTroubleshooting
I'll stop there because I believe the point has been made. Theres policy definition scripts like these for everything facet of my OS.
Help..
Continue reading...
I dont remember exactly how I stumbled onto this other than a few days ago my net was acting weird. im gonna list several event id codes but the ones that are the most troublesome to me are these:
event id 7034: The Windows Search service terminated unexpectedly. It has done this 349 time(s).
7023: The Windows Search service terminated with the following error:
The system cannot find the drive specified.
8033: The browser has forced an election on network \Device\NetBT_Tcpip_{A4658475-46E6-469E-BA87-CA74AAC1DF8B} because a master browser was stopped.
10016: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{C2F03A33-21F5-47FA-B4BB-156362A2F239}
and APPID
{316CDED5-E4AE-4B15-9113-7055D84DCC97}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
4: Log Name: System
Source: Virtual Disk Service
Date: 12/23/2018 1:43:59 PM
Event ID: 4
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: LAPTOP-JME2E5FG
Description:
Service stopped.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Virtual Disk Service" />
<EventID Qualifiers="16896">4</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-12-23T18:43:59.172723000Z" />
<EventRecordID>3882</EventRecordID>
<Channel>System</Channel>
<Computer>LAPTOP-JME2E5FG</Computer>
<Security />
</System>
<EventData>
<Data>@2010001</Data>
</EventData>
</Event>
4799:A security-enabled local group membership was enumerated.
4672: Special privileges assigned to new logon. these 2 just keep repeating)
1500: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.
100: Local Hostname LAPTOP-JME2E5FG.local already in use; will try LAPTOP-JME2E5FG-2.local instead(this error was caused by bonjour)
As Im Listing these it just hit me that these problems started occurring immediately after I got my laptop back from the HP repair shop.
I am running a hp notebook on windows 10.
The pc was generating new accounts constantly and apparently elevating these accounts above the one and only user(and admin) account on this pc. I've been getting denied access to more and more things.When I seen that bonjour was running an app on my windows pc it threw up a red flag and the app it was running was a DNSresponder. However the issues have only gotten more bizarre. MY net kept kicking me off so I logged onto my mothers asus laptop(win8) to see if the problem persisted on hers. it did.
After a quick check to see which wifi network i was on it was giving me my wifi address+2. Something was forcing my moms laptop to connect to the internet via my computer even tho all options for sharing my net connection were turned off. In Network and sharing center it shows this pc being connected to a private network yet all other signs were indicating I had somehow became part of a workplace network. When I open event viewer theres a custom log named "Server". So after a little digging using cmd (and later powershell) it turns out yes I am indeed acting as a server or something and there is a partition on my HDD that is hidden.
Also this two pcs are the only devices on this network that arent running IOS and the only two that were infected.
Then I found a .txt file inside a hidden folder titled "REGFLUSH": rthat contained the following:
RegFlush> Starting...
RegFlush> attempting to flush ->HKEY_CLASSES_ROOT
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_CURRENT_USER
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_LOCAL_MACHINE
RegFlush> Successfully flushed
RegFlush> attempting to flush ->HKEY_USERS
RegFlush> Successfully flushed
RegFlush> Done...
After digging around theres lots of weird stuff in these multiple hidden files. one txt list my OS as windows_NT, My Platform as mobile, my ram as 8gb(its only 4)and my I have zero windows credentials. then I found the policy definition scripts... C:\Windows\PolicyDefinitions is a folder full of .adml files that force different policies. one in particular was a script that was forcing me onto a domain which in turn forced me into a workplace. Then the script told itself to connect to all other devices within the workplace(naturally) in turn infecting every other device that seemingly isnt Mac.Heres the script for that:
<?xml version="1.0" encoding="utf-8"?>
<!-- (c) 2013 Microsoft Corporation -->
<policyDefinitions xmlns:xsd="XML Schema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="10.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
<policyNamespaces>
<target prefix="WJ" namespace="Microsoft.Policies.WorkplaceJoin" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<resources minRequiredRevision="1.0" />
<categories>
<category name="WorkplaceJoin" displayName="$(string.WJ_WorkplaceJoinCategory)">
<parentCategory ref="windows:WindowsComponents" />
</category>
</categories>
<policies>
<policy name="WJ_AutoJoin" class="Machine" displayName="$(string.WJ_AutoJoin)" explainText="$(string.WJ_AutoJoinExplain)" key="Software\Policies\Microsoft\Windows\WorkplaceJoin" valueName="autoWorkplaceJoin">
<parentCategory ref="WorkplaceJoin" />
<supportedOn ref="windows:SUPPORTED_Windows_6_3_NOARM" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
</policies>
</policyDefinitions>
The list goes on and on. Things like hideunctab in search.
pushtoinstall-Disabled
POWERSHELL: enable module logging-enabled
remote execution policy-enabled
EnableScriptBlockLogging
EnableScriptBlockInvocationLogging
EnableUpdateHelpDefaultSourcePath-SourcePathForUpdateHelp" valueName="DefaultSourcePath" required="true (its a loop?)
Windows Defender:
VirusThreatProtection_UILockdown
VirusThreatProtection_HideRansomwareRecovery
FirewallNetworkProtection_UILockdown
AppBrowserProtection_UILockdown
AppBrowserProtection_DisallowExploitProtectionOverride
DeviceSecurity_HideTPMTroubleshooting
I'll stop there because I believe the point has been made. Theres policy definition scripts like these for everything facet of my OS.
Help..
Continue reading...