0

I have a stack of 4 personal laptops (running everything from Windows 7 Pro to Windows 10 Home) that have been rendered useless after being migrated to a domain server and made to run a large number of background applications, none of which can be removed from startup, even by the best malware/anti-piracy software.

After the last recovery on a Sony VAIO running Win 10 10.0.17134 Build 17134, I immediately opened event viewer and saw a bizarre series of actions taken before I had even logged on as a User/Administrator:

  1. Offline downlevel migration of security objects

  2. Additional ESENT database information added

  3. Software protection service set to restart in a few days

  4. Software protection then turned off

  5. VideoUI service started (note: this is before any other programs)

  6. Recovery of VideoUI database engine

  7. New VideoUI session started

  8. Boot configuration set to disable verification and debugging

  9. Workgroup user created (Font Driver Host) and given special privileges, including impersonation

  10. A bunch of new users are created and given special privileges

  11. SID S-1-5-21...queries user accounts for blank passwords

  12. SID S-1-5-21 migrates cryptographic key for local user accounts

Since I know zero about tech, it took me a long time to figure out what was going on. But, it appears that any laptop (I have a VAIO, ASUS, DELL and LENOVO) running Windows is hijacked this way and migrated to a domain server controlled by someone else. I've set them up over public and private networks at home or in the office. Doesn't seem to care. The one constant is that they were all setup over networks connected to Spectrum/TWC connections.

When I operate the machines as though they are running like normal personal compauters, troubles arise and they shut down...sometimes claiming registry errors that will not even allow them to boot into WinRE.

Over 6 years, I've taken them to IT experts. I've run every malware scanner in the known universe. Nothing helps.

What is happening? How can I identify the origin of the SIDs causing the trouble? How can I identify who controls the domain server where they are migrated?

You're my hero if you can provide any help! CoopNYC

CoopNYC
  • 1
  • 1
  • 2
  • If they were migrated to a domain, just look at who owns the domain name and/or where the domain controllers reside? – u1686_grawity Mar 19 '19 at 17:55
  • Someone other than you owns your network, and the problem is far too broad for us to begin to get you a good answer. Nothing that is currently connected to your network should be trusted. Any "smart" home devices you have should be removed and trashed, all networking equipment replaced, your internet service should probably be changed to a different provider and type, and your computers should be replaced. And all of this should be done at the same time. Nothing from the old network should touch the new, and nothing from the new touch the old. – music2myear Mar 19 '19 at 17:55
  • Note: The above is taking all that you say entirely at face value and trusting your observations to be accurate. – music2myear Mar 19 '19 at 17:56

1 Answers1

1

I would do this in order:

  • Update the firmware of your router (install again even if already at the latest version) then factory-reset it. Ensure its firewall in enabled and Internet access is not allowed to its settings page.
  • Turn off all computers and disconnect from the network.
  • Turn them on one by one, format and reinstall Windows and ensure their firewall is enabled.
  • Connect the computers one by one to the network and fully patch each.

If this happens again then you are yourself installing the malware, or perhaps your router is vulnerable (replace before starting if it dates from 6 years ago).

See also the following post:
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • Many thanks! Grawity (or others), the domain server where everything is migrated doesn't have a name (or even an obvious IP address. It is impersonating our home network. I have documented that when the computer logs onto our home network, then the adapter goes into "transition" state (the state of the adapter is changed) and the event viewer shows that it connects to a new "unknown" network, then disconnects from our home network. I don't think it's actually disconnecting; I think it is changing the name, but running over our connection. How can I identify who is controlling the thing? – CoopNYC Mar 20 '19 at 14:35
  • First, I'm not grawity. Second, it would take an international organization to trace the control center of a virus. No way that a private person can do that. The only thing you can do is reformat and reinstall, treating until then every device as infected (and infecting). – harrymc Mar 20 '19 at 15:55