0

I have a stack of 4 personal laptops (running everything from Windows 7 Pro to Windows 10 Home) that have been rendered useless after being migrated to a domain server and made to run a large number of background applications, none of which can be removed from startup, even by the best malware/anti-piracy software.

After the last recovery on a Sony VAIO running Win 10 10.0.17134 Build 17134, I immediately opened event viewer and saw a bizarre series of actions taken before I had even logged on as a User/Administrator:

  1. Offline downlevel migration of security objects

  2. Additional ESENT database information added

  3. Software protection service set to restart in a few days

  4. Software protection then turned off

  5. VideoUI service started (note: this is before any other programs)

  6. Recovery of VideoUI database engine

  7. New VideoUI session started

  8. Boot configuration set to disable verification and debugging

  9. Workgroup user created (Font Driver Host) and given special privileges, including impersonation

  10. A bunch of new users are created and given special privileges

  11. SID S-1-5-21...queries user accounts for blank passwords

  12. SID S-1-5-21 migrates cryptographic key for local user accounts

Since I know zero about tech, it took me a long time to figure out what was going on. But, it appears that any laptop (I have a VAIO, ASUS, DELL and LENOVO) running Windows is hijacked this way and migrated to a domain server controlled by someone else. I've set them up over public and private networks at home or in the office. Doesn't seem to care. The one constant is that they were all setup over networks connected to Spectrum/TWC connections.

When I operate the machines as though they are running like normal personal compauters, troubles arise and they shut down...sometimes claiming registry errors that will not even allow them to boot into WinRE.

Over 6 years, I've taken them to IT experts. I've run every malware scanner in the known universe. Nothing helps.

What is happening? How can I identify the origin of the SIDs causing the trouble? How can I identify who controls the domain server where they are migrated?

You're my hero if you can provide any help! CoopNYC

CoopNYC
  • 1

1 Answers1

1

I would do this in order:

  • Update the firmware of your router (install again even if already at the latest version) then factory-reset it. Ensure its firewall in enabled and Internet access is not allowed to its settings page.
  • Turn off all computers and disconnect from the network.
  • Turn them on one by one, format and reinstall Windows and ensure their firewall is enabled.
  • Connect the computers one by one to the network and fully patch each.

If this happens again then you are yourself installing the malware, or perhaps your router is vulnerable (replace before starting if it dates from 6 years ago).

See also the following post:
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

harrymc
  • 498,455