Author Topic: Living off the land hacker has loaded a custom .wim and OS windows10  (Read 17668 times)

0 Members and 1 Guest are viewing this topic.

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Hello, I am currently unable to reinstall Windows without a bunch of pre-installed software, not blower, but things that seem to be auto syncing and pre-filled proxy and DNS resolution. In addition to that, I cannot do a clean install. I've tried about 50 times every time it gets overwritten and when I download an ISO from the internet it says that this file has been modified by another computer. It has been blocked for your safety. I believe that the whim file is heavily modified and has many packages installed in a custom OS. No virus scanners and I've tried them all. Can pick up these changes. I've tried restore them and repair image to no avail. It seems like I'm being actively synced to some kind of directory either through OneDrive which I have disabled or some other hidden program. I found many artifacts that point to multiple servers and XML documents as well as the default user that is hidden has a bunch of programs used for remote access. I'm at a loss at what to do. This has been going on for years  I found and bought windows repair from tweaking.com and I ran it in safe mode several times, but there are still some errors that cannot be fixed, such as the default firewall rules I believe are just bound to a WIM file and since it is corrupt, I don't know if it has effectively been cleaned. Every time I run the program it has errors such as disprotected cannot write or something to that effect. That repair was not totally completed mostly and concerned about repairing the WIM file so I can reinstall     Please help me and if I need to do something or make a log or download a program I will. Thank you so much for hearing me out.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #1 on: January 02, 2022, 03:13:52 pm »
I don't know where you got your Win 10 install media from but you can create a new one after reading -

https://www.microsoft.com/en-gb/software-download/windows10

If you've been able to install Windows Repair then you must have some sort of Win 10 installed.

Boot up with the new install media, navigate to the Install screen and select Repair your computer then select Command Prompt and enter these cmds to see if they resolve.

bcdedit |find "osdevice"

For clarity that is a Pipe symbol before find and is the upper case of \

Using your partition letter instead of the X I have exampled, enter -

dism /image:X: /cleanup-image /restorehealth

sfc /scannow /offbootdir=X:\ /offwindir=X:\Windows

Enter exit to close the cmd windows, remove the install media and reboot to see if that has resolved any issues you have.

If you want to try a clean install with the new media then you may want to format your HDD first.
« Last Edit: January 02, 2022, 03:17:52 pm by Boggin, Reason: Typo »

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #2 on: January 03, 2022, 06:38:42 am »
I did as directed and my OS Partition is C the following errors resulted

For DISM it states "Error: 2 Unable to access the image"
I tried three times to ensure I was correct in invoking the DISM command.

SFC stated "Windows resource protection could not perform the requested operation"

This is after a clean install. My firewall rules, scheduled tasks, silent installs of edge updater and silent install of OneDrive,ability to access and turn off sync right from the boot has been populated with tasks and remote connection devices/rules.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #3 on: January 03, 2022, 06:51:12 am »
Can you download this free antivirus program and run a scan with it - https://www.totalav.com/en/free-antivirus

Then open a Command Prompt (Admin) or Powershell (Admin) and enter these cmds -

dism /online /cleanup-image /restorehealth

sfc /scannow

and let me know what they report.

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #4 on: January 03, 2022, 08:01:12 am »
I ran an elevated CMD as Administrator and the errors are as follows:

DISM states Unable to access the image. (I believe it's because of the second reason stating "do you have read permission on folder.")

SFC states The arguments passed to SFC are invalid. The offline windows directory specified points to the online system.

The virus scan showed no virus.

Thank you so much for helping.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #5 on: January 03, 2022, 08:16:44 am »
Can you open Windows/File Explorer and click on This PC - insert the install USB and double click on its drive.

This will open to its files where you then double click on setup Application.

This should perform a repair install.

Let me know if this proceeds - it can take a couple of hours or so.

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #6 on: January 04, 2022, 12:35:21 pm »
It reinstalled windows with no problems but my startup list has chrome upgrader.exe and my scheduled tasks are doing some other things than just defragment every now and then in fact it's full of stuff. Once again after the reboot I'm a workstation. Tried the SFC/DISM same errors. Virtual adapters including a hidden loopback and ALOT of hidden devices populated my device manager as it has done Everytime I clean install or repair. I'm stuck. It's such a horrible feeling I hope this never happens to anyone.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #7 on: January 05, 2022, 01:48:06 am »
Have you tried manually removing the tasks from Task Manager and the unwanted devices from Device Manager - reboot and see if they return.

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #8 on: January 07, 2022, 06:52:42 am »
Sorry for the long response time, I didn't sable them and soon after after a while they enable again. I then did what you asked and they were there after a minute or so. I honestly believe I am being forced synced. With persistence from registry editing and scheduled tasks.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #9 on: January 07, 2022, 07:14:44 am »
Can you post a pic of the list of tasks from the Task Manager and unwanted devices from Device Manager.

Offline KomiiTail

  • Newbie
  • *
  • Join Date: Jan 2022
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Living off the land hacker has loaded a custom .wim and OS windows10
« Reply #10 on: January 07, 2022, 07:56:30 am »
I will do so in about 30 minutes.  I'm racing home to finally show how weird the virtual network adapters are amongst other things.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile