After being spoofed_? HDD header subproggrammed with virt.net I found those reg.enties

plastiscɧ · Mar 19, 2023

Greetings,

after an exciting week of trial and error and finding out which unknown person spoofed under my running operating system, reprogrammed my hard drive header and installed a virtual drive to infect my windows so that you don't notice it.

it was found:
3MB virtual boot lead to
8MB boot in MBR format may lead to
17MB and 230MB GPT boot+efi which lead to
1,8GB OS in form of about size revi.os and to a total of
2,8GB of unused harddisk space.

i was able to extract a registration file from this virtual OS (win) and save it in *.TXT format. i also disabled it as a precaution.

does anyone have a hot wire or expertise, an idea or good tricks?

at this point i am currently stuck except that i have been able to isolate everything so far to prevent and no longer allow this connection from my own computer to the other.

i put the file on my google drive since it is quite large (115MB) and cannot be uploaded here.

THE FILE IS A

*:TXT
contains all information about this #network under my windows version

Ferrum Master · Mar 19, 2023

You should really think how you were compromised and WHY.

The OS hijack is pretty automated. I hope you understand the consequences and how much of the traffic has gone out. Your line of defense is your router watching weird traffic, not the compromised OS.

Change any passwords you have typed in and unencrypted sensitive data that may lead to some damage.

You have to think of the exploit. If you are a person targeted by the goverment, then no AV or whatsoever may help you. They use undocumented backdoors and vulnerabilities, let's say... we use them to find compromised persons serving the REDs...

If it is a rogue random attempt, then... just NUKE everything and redo passwords.

I often wonder, how people even end up having cases like that... since early CIH days...

Bill_Bright · Mar 19, 2023

I think there is a misunderstanding of the word "spoofed" here too.

If I were to spoof you, I would, for example, be sending out spam emails from my computer, but I would be inserting your email address in the header so the emails "appear" to be coming from your email account. This makes people mad at you, not me. And it can result in your email address getting blacklisted.

Or if I was a robocaller, I would insert your phone number in the caller-id information that appears on others phones.

In both cases, I would only need to know your email address or your phone number - information I could have gotten from any number of places. I would not ever have needed access to your computer or phone.

In other words, your computer (or phone) never needs to be hacked or compromised for you to be a victim of spoofing.

If you really believe your computer may have been "compromised" (accessed by an unauthorized person) and "infected" (had malware installed), you need to thoroughly scan your computer with updated anti-malware software, make sure your OS is current, and as Ferrum Master notes, change all your passwords and wifi passphrases.

Solaris17 · Mar 19, 2023

What??

so you have a copy of the bios main table. How is this in my way related to networks or hacking?

my dude your system is fine. These are all common components what are you doing?

DSDT - OSDev Wiki

wiki.osdev.org

defaultuser is a programatic default account from windows 10. It will also show up on most OEM windows installs. Since they use mass imaging.

https://www.google.com/search?q=defaultuser0&rlz=1C1ONGR_enUS976US976&oq=defaultuser0&aqs=chrome..69i57j0i512l8j0i10i512.3248j1j7&sourceid=chrome&ie=UTF-8

Default user exists always. Here have mine.

Ferrum Master · Mar 19, 2023

Solaris17 said:
defaultuser is a programatic default account from windows 10. It will also show up on most OEM windows installs. Since they use mass imaging.

Wrong, that thing is left for service usage, calibration and injection jobs ie me.

Solaris17 · Mar 19, 2023

Ferrum Master said:
Wrong, that thing is left for service usage, calibration and injection jobs ie me.

What? That is not the system account. You have any experience using WDS or mass Imaging? Intune? Maybe this is sarcasm and I’m missing it.

ThrashZone · Mar 19, 2023

Hi,
As far as I know default user is there to create clean new user accounts.
At one time probably should do it on 11 we would add a password to guest and system admin account to.

Calenhad · Mar 19, 2023

Congratulations!
1 - You have correctly described the boot process of an EFI bios equipped computer.
2 - Located the DefaultUser user profile in Windows. This is the user profile that Windows use to create new user profiles from. DefaultUser0 is sometimes present due to a Windows upgrade or similar.

This is all by design. There is 0% wrong with your computer, if this is your "smoking gun". Was there any other behaviour that led you down this rabbit hole? Which might indicate an actual problem?

Ferrum Master · Mar 19, 2023

Solaris17 said:
What? That is not the system account. You have any experience using WDS or mass Imaging? Intune? Maybe this is sarcasm and I’m missing it.

Well mass imaging isn't that used as you think nor the defaultaccount stems from it. It is core need for certain non classic app types, not sure where the profile to create profiles lore came from. It is just a coincidence. Basically user agnostic processes run using it. The OEM OS deployment is more ugly process than you can imagine, thanks to certain Asian companies and their vision of doing things, they do not align with Microsoft vision.

Solaris17 · Mar 19, 2023

Ferrum Master said:
Well mass imaging isn't that used as you think nor the defaultaccount stems from it. It is core need for certain non classic app types, not sure where the profile to create profiles lore came from. It is just a coincidence. Basically user agnostic processes run using it. The OEM OS deployment is more ugly process than you can imagine, thanks to certain Asian companies and their vision of doing things, they do not align with Microsoft vision.

I don’t need to think anything. Because I literally use WDS my dude. Not to mention the above google link. This isn’t some deep magic you can literally search for it?

oh I see the last part this is some crazy racist shit your on. Listen dude deployment process complexity is not linked to personal hatred of a people’s who’s language you can’t speak. Sorry it’s just not real.

xrror · Mar 19, 2023

EDIT: nope i'm wrong - i didn't realize the Default User shows up as "DefaultAccount" ... which it's probably done since forever.

ThrashZone said:
Hi,
As far as I know default user is there to create clean new user accounts.
At one time probably should do it on 11 we would add a password to guest and system admin account to.

----------

There is indeed a Default User account, but it's not named DefaultAccount nor does it normally show in userpasswords2 ...

Ferrum Master · Mar 19, 2023

Solaris17 said:
I don’t need to think anything. Because I literally use WDS my dude. Not to mention the above google link. This isn’t some deep magic you can literally search for it?

oh I see the last part this is some crazy racist shit your on. Listen dude deployment process complexity is not linked to personal hatred of a people’s who’s language you can’t speak. Sorry it’s just not real.

It seems venturing into territory you have no experience off. Especially when working with them. Not sure how a corporate organization connects in your vision with human race, instead of political entity. It is the business model that characterizes, that defines them including mandatory influence from PRC. So saying American Car is racist also? People these days use terms in places where they should not and have no understanding and concern.

The post installation scripts can be added as you please, leaving some funny things they should not have. Cry or moan, but this practice is not banned nor you can MD5 the thing you have bought in store and the software pile it shipped with. WDS is the start, the post installation customization is often done my separate inhouse OEM toolkits and are highly questionable.

xrror · Mar 19, 2023

Solaris can most likely verify, but the account used for running services (and many other intended to primarily be non-user interactive things) was at least NT_Authority_System. I only bring it up so people don't conflate this with the Default User account, which is a totally different thing.

It at least used to live at:
%WinDir%\system32\config\systemprofile
also - don't mess with it unless you *really* understand what you're running as.

I'm out of date on mangling windows profiles these days (as in, TrustedInstaller and metro/modern apps are still an enigma to me), but just didn't want people to read this thread and get Default User confused with it.

Solaris17 · Mar 19, 2023

Ferrum Master said:
It seems venturing into territory you have no experience off.

Bro

Here I logged into one of my nodes and installed an OS for you.

These are going to be vanilla installs, non-modified images. I would be more than happy to show you the configs though. So this will be a basic user experience. No scripts or slip streaing during install.

Lets pick windows 10, like our OP.

Nice and fresh.

I'm sure you know netbooting so really fast. You obviously have a TON of experience with it.

Time for set

Gotta wait, but surely not for our super secret account.

Personal use, after all were not part of an org or an edu. We just want to troll on the internet and play crysis.

Desktop at last

Lets take a look

wild.

If anyone would like me to write a guide on how to setup and use WDS if you have a home server let me know. Makes it really easy to image things at home if you have ethernet, and have an interest in tech.

As for the accounts.

"System" is the closest equivalent to root Windows has. It us used for all "windows" core functions and some software for kernel or hardware level access.

"Administrator" is a built in local account. It is disabled by default but is created during installation. For the most part is used to set base permissions on all files. The default SID is universal and has been known for many years. This account also serves as a "template" and during sysprep can be modified so that the customizations appear for all subsequent user accounts.

"Defaultuser0" This folder exists but the account can be deleted (cmd). It is a result of the install. It is used by the install process. "Copying files" creating default configs, everything you see on screen from cortana questions to keyboard settings needs a user account. This is called "OOBE" and the default user account is the one doing all the work.

You can read a lot about all of them (30k foot view) from microsoft themselves.

Local Accounts - Windows Security

Learn how to secure and manage access to the resources on a standalone or member server for services or users.

learn.microsoft.com

As for "questionable 3rd party toolkits" you must mean "unattended.xml" anyone on planet earth (not mars though) can download MDT.

Download Microsoft Deployment Toolkit (MDT) from Official Microsoft Download Center

The Microsoft Deployment Toolkit (MDT) is for Windows operating system deployment.

www.microsoft.com

Anyway; OPs machine isn't infected.

Toothless · Mar 19, 2023

If OP is that worried, why not killdisk wipe it and reinstall?

Ferrum Master · Mar 20, 2023

Solaris17 said:
As for "questionable 3rd party toolkits" you must mean "unattended.xml"

No, you have not seen OEM device deployment. You operate with Microsoft way of pushing images. It is not used everywhere for various reasons.

Also... Most laptops these days even does not have ethernet.

xrror · Mar 20, 2023

Solaris17 said:
If anyone would like me to write a guide on how to setup and use WDS if you have a home server let me know. Makes it really easy to image things at home if you have ethernet, and have an interest in tech.

I'd actually be interested in this.

plastiscɧ · Mar 25, 2023

After analyzing the disks, I came across interesting things in detail.

I am working on a workaround.

Whobob Whatpants Spongebob Mocking GIF by SpongeBob SquarePants

forman313 · Mar 25, 2023

plastiscɧ said:
After analyzing the disks, I came across interesting things in detail.

I am working on a workaround.

View attachment 289183

Is that sirens I see there?

Please tell me you know what your are doing. I see you are messing around with sirens, and those kind of tool collections contain at least 10 different scripts and programs that can create and modify boot partitions etc. And several more that can do pretty much anything. clone, delete, format, recover, unformat, secure-wipe +++
An accidental execution of a batch-file on sirens is all it takes to cause ... pretty much what you are describing.

Can you paste the results from get-partition in powershell?

And why is that latest screenshot showing ENG display language? Your previous screenshots are in german.

plastiscɧ · Mar 25, 2023

forman313 said:
Is that sirens I see there?

Please tell me you know what your are doing. I see you are messing around with sirens, and those kind of tool collections contain at least 10 different scripts and programs that can create and modify boot partitions etc. And several more that can do pretty much anything. clone, delete, format, recover, unformat, secure-wipe +++
An accidental execution of a batch-file on sirens is all it takes to cause ... pretty much what you are describing.

Can you paste the results from get-partition in powershell?

And why is that latest screenshot showing ENG display language? Your previous screenshots are in german.

This is a small hidden "network", operating system under my running operating system.

i discovered it with a hirens boot control visit under windows when it manifested itself as drive X: named boot under my windows. it is far larger than the stated drive size of 800MB.

from there i encountered a 3MB partition that was infiltrated by an attack (i suspect so), at least i perceived it via warning.

i have been working for 12 days to make this _THING_ harmless to some extent. it is extremely infectious in terms of the fact that it continues to copy itself on the hard disk system and thus a lot of data could flow out!

It all started when I saw a so-called _ authenticated user _ in my accounts that did not belong there for me, as an administrator. that's how it all began.

By the way, I also handed over these materials to the German police and explained what it was all about. I also left a hard disk there.
I filed a criminal complaint. the complaint was accepted by the police.

Solaris17 · Mar 25, 2023

I am happy that you did what you thought was right and contacted the police in your case.

Unfortunetely, I am not sure they will find much if anything as acceptance is not the same as truth.

In this case you managed to find the boot partitions and modifications of it, are unfortunately normal everyday things available on everyone's OS.

Despite the information in the thread and information you can easily google. You continue to chase this. This is disingenuous to members and those willing to learn in earnest.

I hope at some point you come to realize this. Goodluck.

System Name	°( ఠ ͟ʖ ఠ)°
Processor	Intel \| i7 _ 11700K \| @ ~ 5GHz all \| cooling ~ Thermal Grizzly CARBONAUT
Motherboard	Asus \| ROG Strix -- Z 590-E
Cooling	Asus \| ROG Ryujin 240 2* _Noctua F PPC °3000 \| 4+1* _beQuiet_ Silent/Light Wings 3 °2200
Memory	G Skill \| Trident Z *RGB @ 4000_ \| _15-15-15-36_ \|
Video Card(s)	Asus \| ROG Strix -- RTX 3070Ti_ #OC Edition
Storage	INTENSO 250GB 1, 500GB1 \| Samsung EVO 860 / 970 EVO plus\| WDC WD40 \|
Display(s)	Alienware \| AW3821DW _ 38" {3840*1600} wide - curved
Case	be Quiet \| DARK BASE PRO 900 --- _rev. 2 --- #Silver
Audio Device(s)	Asus \| ROG Throne - Qi_7.1 \| LOGITECH_G560 Speaker (RGB)
Power Supply	be Quiet \| DARK Power PRO 12 __ 1200W *titanium
Mouse	Razer \| NAGA Trinity (19 buttons)
Keyboard	Razer \| Huntsman V2 analog \| Razer Goliathus (RGB) black
VR HMD	Razer \| Kraken Ultimate HEADSET __7.1 THX ____\| DX RACER - Gaming Leather Chair_____ VR?? is odd!
Software	Windows 11 Pro
Benchmark Scores	See signature URL

System Name	HELLSTAR
Processor	AMD RYZEN 9 5950X
Motherboard	ASUS Strix X570-E
Cooling	2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory	4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s)	Sapphire Pulse RX 7900XTX + under waterblock.
Storage	Optane 900P[W11] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO[FEDORA]
Display(s)	Philips PHL BDM3270 + Acer XV242Y
Case	Lian Li O11 Dynamic EVO
Audio Device(s)	Sound Blaster ZxR
Power Supply	Fractal Design Newton R3 1000W
Mouse	Razer Basilisk
Keyboard	Razer BlackWidow V3 - Yellow Switch
Software	FEDORA 39 / Windows 11 insider

System Name	Brightworks Systems BWS-6 E-IV
Processor	Intel Core i5-6600 @ 3.9GHz
Motherboard	Gigabyte GA-Z170-HD3 Rev 1.0
Cooling	Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory	32GB (4 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s)	EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage	Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s)	Samsung S24E650BW LED x 2
Case	Fractal Design Define R4
Power Supply	EVGA Supernova 550W G2 Gold
Mouse	Logitech M190
Keyboard	Microsoft Wireless Comfort 5050
Software	W10 Pro 64-bit

System Name	Rocinante
Processor	I9 14900KS
Motherboard	EVGA z690 Dark KINGPIN (modded BIOS)
Cooling	EK-AIO Elite 360 D-RGB
Memory	64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 500GB 980 Pro \| 1x 1TB 980 Pro \| 1x 8TB Corsair MP400
Display(s)	Odyssey OLED G9 G95SC
Case	Lian Li o11 Evo Dynamic White
Audio Device(s)	Moondrop S8's on Schiit Hel 2e
Power Supply	Bequiet! Power Pro 12 1500w
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD	Quest 3
Software	Windows 11
Benchmark Scores	I dont have time for that.

System Name	HELLSTAR
Processor	AMD RYZEN 9 5950X
Motherboard	ASUS Strix X570-E
Cooling	2x 360 + 280 rads. 3x Gentle Typhoons, 3x Phanteks T30, 2x TT T140 . EK-Quantum Momentum Monoblock.
Memory	4x8GB G.SKILL Trident Z RGB F4-4133C19D-16GTZR 14-16-12-30-44
Video Card(s)	Sapphire Pulse RX 7900XTX + under waterblock.
Storage	Optane 900P[W11] + WD BLACK SN850X 4TB + 750 EVO 500GB + 1TB 980PRO[FEDORA]
Display(s)	Philips PHL BDM3270 + Acer XV242Y
Case	Lian Li O11 Dynamic EVO
Audio Device(s)	Sound Blaster ZxR
Power Supply	Fractal Design Newton R3 1000W
Mouse	Razer Basilisk
Keyboard	Razer BlackWidow V3 - Yellow Switch
Software	FEDORA 39 / Windows 11 insider

After being spoofed_? HDD header subproggrammed with virt.net I found those reg.enties

plastiscɧ

Ferrum Master

Bill_Bright

Solaris17

Super Dainty Moderator

DSDT - OSDev Wiki

Ferrum Master

Solaris17

Super Dainty Moderator

ThrashZone

Calenhad

Ferrum Master

Solaris17

Super Dainty Moderator

xrror

Ferrum Master

xrror

Solaris17

Super Dainty Moderator

Local Accounts - Windows Security

Download Microsoft Deployment Toolkit (MDT) from Official Microsoft Download Center

Toothless

Tech, Games, and TPU!

Ferrum Master

xrror

plastiscɧ

forman313

plastiscɧ

Solaris17

Super Dainty Moderator

System Name	Ghetto Rigs z490\|x99\|Acer 17 Nitro 7840hs/ 5600c40-2x16/ 4060/ 1tb acer stock m.2/ 4tb sn850x
Processor	10900k w/Optimus Foundation \| 5930k w/Black Noctua D15
Motherboard	z490 Maximus XII Apex \| x99 Sabertooth
Cooling	oCool D5 res-combo/280 GTX/ Optimus Foundation/ gpu water block \| Blk D15
Memory	Trident-Z Royal 4000c16 2x16gb \| Trident-Z 3200c14 4x8gb
Video Card(s)	Titan Xp-water \| evga 980ti gaming-w/ air
Storage	970evo+500gb & sn850x 4tb \| 860 pro 256gb \| Acer m.2 1tb/ sn850x 4tb\| Many2.5" sata's ssd 3.5hdd's
Display(s)	1-AOC G2460PG 24"G-Sync 144Hz/ 2nd 1-ASUS VG248QE 24"/ 3rd LG 43" series
Case	D450 \| Cherry Entertainment center on Test bench
Audio Device(s)	Built in Realtek x2 with 2-Insignia 2.0 sound bars & 1-LG sound bar
Power Supply	EVGA 1000P2 with APC AX1500 \| 850P2 with CyberPower-GX1325U
Mouse	Redragon 901 Perdition x3
Keyboard	G710+x3
Software	Win-7 pro x3 and win-10 & 11pro x3
Benchmark Scores	Are in the benchmark section

Processor	AMD Ryzen 7 5800X3D
Motherboard	Asus Crosshair VIII Dark Hero
Cooling	Custom Watercooling
Memory	G.Skill Trident Z Royal 2x16GB
Video Card(s)	MSi RTX 3080ti Suprim X
Storage	2TB Corsair MP600 PRO Hydro X
Display(s)	Samsung G7 27" x2
Audio Device(s)	Sound Blaster ZxR
Power Supply	Be Quiet! Dark Power Pro 12 1500W
Mouse	Logitech G903
Keyboard	Steelseries Apex Pro

System Name	Veral
Processor	5950x
Motherboard	MSI MEG x570 Ace
Cooling	Corsair H150i RGB Elite
Memory	4x16GB G.Skill TridentZ
Video Card(s)	Powercolor 7900XTX Red Devil
Storage	Crucial P5 Plus 1TB, Samsung 980 1TB, Teamgroup MP34 4TB
Display(s)	Acer Nitro XZ342CK Pbmiiphx + 2x AOC 2425W
Case	Fractal Design Meshify Lite 2
Audio Device(s)	Blue Yeti + SteelSeries Arctis 5 / Samsung HW-T550
Power Supply	Corsair HX850
Mouse	Corsair Nightsword
Keyboard	Corsair K55
VR HMD	HP Reverb G2
Software	Windows 11 Professional
Benchmark Scores	PEBCAK