LANGALIST By Fred Langa A subscriber’s PC was commandeered by malware; even the administrator’s account is now inaccessible! How can this PC be safely
[See the full post at: Salvaging a fatally hacked PC]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Salvaging a fatally hacked PC
Home » Forums » Newsletter and Homepage topics » Salvaging a fatally hacked PC
- This topic has 7 replies, 6 voices, and was last updated 1 year, 2 months ago.
Tags: AskWoody Plus Newsletter Audio Google Remote Desktop LangaList Remote Desktop Connection System Recovery
AuthorTopicFred Langa
AskWoody MVPViewing 3 reply threadsAuthorReplies-
bbearren
AskWoody MVPHow can this PC be safely returned to service, especially now that Windows 11 is closing some of the old back-door admin-access workarounds?
The same methods I would use (after replacing a dead drive) if my drive(s) had gone belly up. If the drive(s) are merely compromised, I could skip the replacement steps.
I would restore my latest Image for Windows full drive image, which, although admittedly two to three months old, will effectively completely wipe the drive and restore my partitioning and all data, some of which (depending on the partition) has not changed in the intervening time period.
Then I would use my latest pertinent partition images (OS, Programs, User Data) which are never more than one week old. Any relevant new data (since the last weekly image) I can retrieve from my NAS or the cloud. The full process might take an hour, and leave me confident that I had no vestigial nastiness anywhere.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things. -
Millwood
AskWoody Plus -
oldguy
AskWoody LoungerTo recovery from a firmware based exploit you’d need to have a motherboard with the BIOS and network boot flash (if separate) in sockets, and to have taken images of those before hand and made and tested replacements as the soldering now is a bit mission impossible. (The network boot flash is seldom mentioned and separate, but just as vulnerable, with some designs that area can be hooked with a CMOS setting change or default on some systems though SMM / secure boot should catch that and stop the boot). Dealing with SOIC 8 (solder down) chips was difficult, the new chips are half that size again and you can’t socket the BGA chips easily so extreme measures are needed. Basically it can be done but you can see the literal scale in the work you’d be undertaking here (not a PC in this case; just for scale..): https://blog.quarkslab.com/flash-dumping-part-ii.html
It would seem sensible the main target for firmware attacks would be ransoming access to the system and the Windows license so they’re not going to leave the BIOS in a state where you can flash anything, and flashing in the usual context doesn’t usually alter the platform binary table or remove definition blocks which define drivers inserted into the memory by the UEFI firmware which could be / have been vehicles for firmware instigated malware. (https://uefi.org/specs/ACPI/6.4/05_ACPI_Software_Programming_Model/ACPI_Software_Programming_Model.html#definition-blocks)
And it might be the consumers they come after next year..
So what to do? Probably regular backups (as the software will have been compromised to leverage an attack), add your Windows license to a Microsoft account even if it’s OEM and have a spare motherboard and a device which doesn’t run Windows to find out how and when it might be safe to use that?
By the way, if you want to make an account inaccessible try setting read only on it’s NTUSER.DAT. The user profile service doesn’t like it. How the odd customer managed to achieve that state was always a mystery given the file normally has H and S attributes set… though I last saw that in about 2018..
Also not mentioned as a method for malware removal is the use of reg load (in the command prompt of the recovery options started from external media) to load the system and ntuser.dat hives into the registry of the recovery environment.
You can then use regedit to manually hunt and remove the hard to detect (self hiding) obfuscated code sometimes found in various run keys and shell open command areas of the mounted registries, and remove items such as Windows defender entries which sidestep that protection, to weaken the infection enough to be able to get the Windows protection running to clean up the mess, but to be honest I’ve only done that to get in to export browser settings and the like before backup and bare metal restore.
When attackers have written code to burry itself in and its that custom that malware scanning from a boot disk can’t find it, the time has arrived to declare the whole installation lost and only backup user files which are needed (and treat those as potentially infected after reinstalling / restoring the last backup).
Of course to know which backup to use you need to know when the problem actually arrived, as opposed to when it showed its hand (which could be any time thereafter) and to be honest in that situation the only backup I could really trust is the factory default, and only then if I patched all the software in that factory default before doing anything else so when I get there it’ll be time for the recovery media..
Windows is a case for creating your base install, adding software, sysprep preparing the software and taking a FFU image (for bare metal recovery), and then once finally set up your account, you can take incremental WIM backups of the partitions or use the usual backup candidates if you care to..
I don’t think “fatally hacked” is a situation unless it refers to something maintaining life which fails in its function. Perhaps “functionally irretrievable within the bounds of sensible economics and technical expertise”? Anyone good with acronyms?
-
bbearren
AskWoody MVPI recovered two installations (two PC’s) completely after a house fire destroyed the hardware by restoring my drive images to new hardware. By drive images, I mean as described in my reply #2431434 above. That method is the most time-efficient and fault free.
There’s no need for overkill.
Always create a fresh drive image before making system changes/Windows updates; you may need to start over!We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things. -
Carl
AskWoody PlusI agree. I keep 40 generations of incremental backups and 30 image backups on multiple, ransomware protected, backup drives.
If the cost of restoration (my time is valuable) is more than the cost of replacement, guess which one wins. I’d still restore the BIOS from a known good BIOS image (I keep multiple gens of those too) just for peace of mind. I don’t think a sophisticated state actor would be attacking my firmware.
But, I’m looking at two of my backup drives sitting on my desk right now. After reading your comments, I think I’ll get off my lazy *** and put them in the fire proof safe where they belong ……
-
-
anonymous
GuestBrowsers routinely communicate their associated IP address and full user agent string with every site they visit. This data can include the browser family, type, mobile or desktop variant, version, OS brand, bittedness, current resolution, compatibility information, and numerous other platform, browser, and extension details.
But Remote desktop apps have access to every keystroke you press. And we know Google loves to try and analyze what we type to get information on us.
-
johnf
AskWoody LoungerBrowsers routinely communicate their associated IP address and full user agent string with every site they visit. This data can include the browser family, type, mobile or desktop variant, version, OS brand, bittedness, current resolution, compatibility information, and numerous other platform, browser, and extension details.
Here’s a good article on how to reduce your browser fingerprints
https://www.experte.com/it-security/browser-fingerprint
As far as rescuing some one else’s PC from a bad infection, it’s rare to find users who do regular backups on an external device. If a Windows 10/11 refresh isn’t possible because of the severity of the infection, and there are no good backups, I usually boot a Linux Live USB and transfer data ONLY to a new USB Hard Drive. Then I’ll do an initial scan with Clam on the USB hard drive. After that, I’ll put the USB hard drive aside, do a fresh format and new Windows install on the PC, and then run malware/anti virus scans on the USB drive before transferring the data back to the PC. If I’m feeling paranoid, I’ll replace the Hard drive on the PC itself before doing the new Windows install (probably a good idea anyway, as HD’s don’t last as long these days).
I’ll set up the user account as a NON ADMIN account, using strong passwords for both the User account and the Admin account (Windows users shouldn’t be running as admin!!). I’ll talk to them about not downloading email attachments, or accepting all the defaults when installing software (you don’t need multiple anti virus programs or nasty malware just to get a free program). I’ll also talk to them about using firewalls on the PC and the router, and not abuse them by using programs that create holes just to play games and such.
I’ll also suggest doing regular malware and virus scans, along with regular backups on removable media. Speaking of removable media, I’ll suggest scanning all flash or other drives you attach EVERY time you connect them to the PC, and NEVER use a flash drive that’s been used on another PC. Even new ones should be scanned before use!!
I’ll talk about using 2 factor authentication when possible, safe surfing, etc.
And after all that (and more), I’ll expect to hear back from the same user in a year or less complaining about an infection. Bad habits die hard, and Windows PC’s are a LOT of work to maintain, something people don’t want to hear.
Viewing 3 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
AOL changes its web based email
by
Charlie
1 hour, 57 minutes ago -
Windows 11 Insider Preview build 23471 released to DEV
by
joep517
4 hours, 31 minutes ago -
Windows 11 Insider Preview Build 22621.1830 and 22624.1830 released to BETA
by
joep517
4 hours, 32 minutes ago -
Spyboy Defense Evasion Tool Advertised Online
by
Alex5723
11 hours, 53 minutes ago -
Gigabyte motherboards backdoor
by
Alex5723
2 hours, 28 minutes ago -
numbering in a table
by
RopyDavits
16 hours, 56 minutes ago -
LMDE 5 32-bit dual boot on seperatd drives
by
bassmanzam
15 hours, 5 minutes ago -
Microsoft ends 2017 Surface Book 2 support
by
Alex5723
1 day, 4 hours ago -
My monitors won’t turn on
by
Rush2112
21 hours, 35 minutes ago -
AMD Software Failed to Launch Because Windows Update Has Replaced the AMD…
by
Alex5723
1 day, 14 hours ago -
Microsoft : New macOS vulnerability, Migraine, could bypass System Integrity…
by
Alex5723
1 day, 16 hours ago -
Remove One Drive
by
crudolphy
1 day, 21 hours ago -
Firefox users on Windows 7, 8 and 8.1 moving to Extended Support Release
by
Alex5723
9 hours, 48 minutes ago -
How to change “User Account Control:Run as administrator”
by
DKThompson
2 days, 2 hours ago -
Two monitors, want different “fixed” wallpaper on each one
by
MauryS
2 days, 8 hours ago -
Microsoft forcing move to Microsoft account?
by
Tom
2 days, 6 hours ago -
Event 2545 Device Management – Enterprise – Diagnostics – Provider
by
Tex265
2 days, 9 hours ago -
QBot malware exploits Windows WordPad EXE to take over
by
Alex5723
3 days, 5 hours ago -
Laptop powers off during KB5026361 update
by
dhunter
3 days, 4 hours ago -
How to enable Sleep in Shut down menu?
by
Alex5723
3 days, 6 hours ago -
Beware of Google’s .ZIP domain and password-embedded URLs
by
B. Livingston
8 hours, 2 minutes ago -
Longstanding feature requests, and their status
by
Mary Branscombe
3 days, 14 hours ago -
Three typing tutors — no more “hunt and peck”
by
Deanna McElveen
3 days, 13 hours ago -
Is online banking secure?
by
Susan Bradley
1 hour, 57 minutes ago -
Bluetooth audio not working on older Lenovo T420 with Win 10
by
WSmsc0357
2 days, 20 hours ago -
Using wildcards in search and replace
by
Bob Karrow
3 days, 23 hours ago -
How is Windows XP a security risk?
by
Curious
14 hours, 54 minutes ago -
Is using VPN a good idea?
by
Tex265
3 days, 20 hours ago -
How to prevent/disable Bitlocker Automatic Device Encryption?
by
EricB
4 days, 7 hours ago -
Unexplained aspects of installing the latest update of Office 2021
by
TonyC
4 days, 7 hours ago
Recent blog posts
- Beware of Google’s .ZIP domain and password-embedded URLs
- Longstanding feature requests, and their status
- Three typing tutors — no more “hunt and peck”
- Is online banking secure?
- Are you ready for AI?
- MS-DEFCON 4: Skip those Secure Boot scripts
- Getting started with winget
- No NumLock key? Problem solved! Here’s the fix.
Key Links
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | 3 | ||||
4 | 5 | 6 | 7 | 8 | 9 | 10 |
11 | 12 | 13 | 14 | 15 | 16 | 17 |
18 | 19 | 20 | 21 | 22 | 23 | 24 |
25 | 26 | 27 | 28 | 29 | 30 |
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.