none
SOS Reset cannot fix as book, bios, mbr all corrupted standalone machine(s) corrupted by RAT. built in admin shortcuts broken & admin replaced

    Question

  • If someone with greater technical savvy than I can help, it would be appreciated. If logs would help, please advise which. I've tried to find/dislodge hijacker (.ru URL) I feel like I'm playing chess in the dark against grand master as grim reaper. Losing money, time and peace with situation. Windows level 2 techs have remotely tried to fix ( 3 separate cases) and top tech guy at Corte Madera, CA store unable to fix problem. DCOM flooded with error messages by time OS completes Welcome  song/dance. Unable to fix corrupt certificates with unknown and unsigned certificate extensions. Default (built-in admin) replaced by Defaultuser. Paths changed on any owner created admin accounts which no longer have any admin privileges despite still being named as admin. Attributes changed on Library files so documents saved and pusic ripped cannot be accessed. Rollback option on drivers also all changed immed. after start up 1st time. Disk Management loses ability to format or save info on USB devices which are converted to RAW format. Thrice weekly reset of system does nothing but allow brief window of usage.

    Network settings corrupted and based on description believe DNS cache to be poisoned. Tried using sysinternal accesschk but log shows for less than 1 second & disappears. Procmgr shows huge amounts of svchost programs running simultaneously. Though my guess is that both machine and network corrupted, probably 1 primary and rest result of ports left open by 1st so don't know where to start. VM and proxy attempts circumvented by unchangeable command, bypass proxy for localhost command. 

    Not just Windows, purchased Mac OS x which worked great for 5 months until shrug Windows script started getting written to Mac library. Devices w/ every OS of Windows since XP, every OS x of Mac, Linux, iOS, Android all have permissions & admin changed to point where I have lost access to system files. 

    Registry corrupted but nothing in regedit or tools from sysinternals can fix. Cannot make myself NET USER on Windows machines since all my user accounts get changed to standard. I cannot imagine a situation wherein I could possibly be more f****ked. Experts, new machines, software have cost fortune. Would eat worms but can't find. Sorry for length but could not figure out how to shorten. SOS. Excellent opportunity for someone to be hero. Thnx for any conceivable solution aside Luddism.

    Thursday, November 17, 2016 1:45 AM

All replies

  • Hi,

    Based on your description, it seems that your system had been corrupted.

    I’m afraid your best bet is clean install.

    Clean Install Windows 10

    http://answers.microsoft.com/en-us/windows/wiki/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

    If the problem still persists, you may need to connect manufacturer for further help.

    Best Regards,

    Tao


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 18, 2016 8:47 AM
    Moderator
  • Sorry for very belated reply but had not been notified of response & just searched exact same problem. It might be possible to follow your instructions but I can’t do it simply from media creation tool, throws various error messages or changes file to “read only” . Unable to change & unable to take ownership. Perhaps a full installation disk would help but have recently read about Trojans that change mbr, bios, startup operations before system can get loaded. If I try after resetting (full) pc and skip setting up network connection I still see many host processes running when I run msconfig. Some system host (svchost) processes shut pc down before I can continue to try. In any event, the processes I shut down seem to restart automatically. More literature has been available about these boot kits, et al. But nothing thus far capable of fixing. What I need is someway to unjoin client (standalone PC I purchased & subsequently corrupted by boot kit * 12 for all current devices all of which have same problem, namely: activation code changed- MSFT answer to that is to buy new copy of Windows 10 & allow that to become corrupted. But beyond that, regain permissions to delete all host related registry keys, installed or corrupted windows system files to be changed, restore proper drivers and somehow keep this from happening again. I have seen other forum participants with same issue- often using slightly different descriptions & assume that for every 1 who asks for help, 20 users have not grasped the sophistication of this Trojan/ bootkit. My guess is that it uses standard accounts to gain access, jumps to system accounts and then uses SMB to take over all other devices on network. That’s based on hundreds of hours of experience. Many IT pros simply think it’s user misunderstanding but that seems the result of some Freudian driven arrogance that convinces them they already know everything and if they haven’t learned in MSFT online program module it can’t possibly exist. That opinion is based on the number of responses that refer to fixing thru MSFT GUI, the most easily manipulated software in existence. Anyway, sorry re. complaints, just doesn’t help solve problems but all to common experience. Had dozens of in store high level techs examine & their universal solution is “reset” w/o even listening to issues that still exist or treating any explanation of issue with thinly veiled contempt.
    Monday, January 28, 2019 12:21 AM
  • RAT,as in Microsoft RATTV,that was a Win XP era software,MSDN-WHQL might have software...RATTV is a Microsoft certified windows installation,it works with SQLR I believe..
    Also,any pc with a Boot problem & Windows is/was ok,then power-off pc,remove MB battery,wait 10-12 minutes,install a new 2032 type battery,start pc..You need to reset BIOS/date-time/etc/reset for add-in cards/save & exit BIOS.Once in Windows,reset date-time..
    • Edited by Andrew E. _ Monday, January 28, 2019 1:12 AM
    Monday, January 28, 2019 1:08 AM