Create an account on the HP Community to personalize your profile and ask a question
02-23-2022 09:52 AM
Hi, I have a terrible ongoing problem with someone hacking me over and over and over. It just happened again, and I knew right away because at 4AM one morning my computer restarted itself for no reason. I know it was them doing something. They infect every piece of electronics in the house and the only way to get rid of it is to wipe hard drives of EVERYTHING at once and replace ISP's modem. But this time...wiping my hard drive isn't working. I wiped hard drives with CBL shedder on a usb stick (3 times overwrite) then re-install windows fresh from a windows installation media usb stick. But immediately as soon as I hook up the ethernet wire I can see the hackers installing stuff. I watch the event viewer and I see them installing Azure Actve Directory stuff and they keep installing security certificates. They used 40 GB's of internet in 2 days installing Azure AD crap. I keep wiping the hard drives and they keep reinstalling...I can't stop them. But why not when I wipe the hard drives and do a fresh install of windows, it doesn't get rid of them? Even when I'm installing or wiping using a usb....I see drive X:// and it has remnants of there Azure crap on it....how is that possible if I wiped every hard drive on the computer??? I also notice it says I'm connected to a domain....but then when I go to settings and check if there's a work thing connected...it says no. Yet, when I click on network(from explorer) or do a network scan with my phone...it says connected to a domain. I suspect when the computer shut off that night...they got into my bios settings and I think maybe the TPM or something. How can I check my bios settings and reset/reinstall the TPM or security??? They MUST have something programmed into the bios so when I wipe the hard drives it doesn't work.
02-23-2022 10:09 AM
Please check if you have an updated BIOS.
This package provides an update to HP Consumer Desktop PC BIOS (ROM Family SSID 82F1) for supported models running a supported operating system.
Fix and enhancements:
** After this BIOS update has been installed, previous BIOS versions cannot be reinstalled.
02-23-2022 11:00 AM
Sorry, but in my opinion, you mistakenly think that ..
already see what is what you are talking about
you may just have updates, which are installing, and I don't know what else
But we most certainly won't do what you say repeatedly
A computer can restart on its own, without it being done by a hacker
was this reply helpful , or just say thank you ? Click on the yes button
Please remember to mark the answers this can help other users
Windows 11 22h2 inside , user
02-23-2022 11:24 AM - edited 02-23-2022 11:25 AM
You can do the following, using the netstat command (Do not open any browser or visit web pages.)
Open powershell and type :
netstat -aon > netstat.txt
then find the file netstat.txt in the root of the disk C: and open it with notepad. There you will see the list of IPs that connect to your PC and the port, then verify each IP, as they may be IPs of Windows servers that update.
For example using this page and try to identify which IP should not connect and then block it on your router and see if it is still active.
02-24-2022 12:32 AM
So, thank you for all your help. It is 1000% a virus or a malicious hacker. I installed the new BIOS update, wiped the hard drives again...and its still all there. On the start menu (right from a fresh windows install) there are blank squares where apps are waiting to be installed from the cloud. There are numerous errors in the event log right away regarding security certificates and netlogon or winlogon and DCOM servers and even kernel errors. Theres 1000's of errors in the first hour after the fresh install. But when I go to settings and see if I'm attached to a work account...it shows nothing, so I can't disconnect it.
I did try blocking certain programs and tried blocking all domain activity with windows firewall but it doesn't work at all. Now I can't even log into the router it says wrong password...I detected ARP spoofing when using my cellphone. I factory reset the router 3 times already...can't get into the settings. I don't know what to do I can't disconnect from their Azure AD....they keep replacing apps with fake apps on my cellphone and computer and everything says managed by an organization. I can't find any help anywhere, and even shredding the hard drives and re-installing windows won't work. I bought a second router...I'm gonna try to connect it , then connect my devices to that one...but I can't believe this won't work. I also tried reset my computer from windows settings...DISM and SFC/Scannow...but now the command line is gone. There's only powershell which I am not familiar with. I will try tonight to block those IP addresses...I actually did this a few days ago...but with woindows firewall and not the router. I also downloaded some other advanced firewall programs I may try out and Comodo dragon business suite. I thought about making my own Azure domain and trying to switch over or something. I just don't get it...how the fresh install doesn't work...is Azure tied to my serial number or something...or my windows license key? I may try re-install windows somehow with a different disc....
02-24-2022 10:58 AM
@devildz204 -- Even when I'm installing or wiping using a usb....I see drive X:// and it has remnants of there Azure crap on it....how is that possible if I wiped every hard drive on the computer???
Is your disk-drive split into multiple partitions?
Did you wipe every partition, and then delete each now-empty partition?
That "X:" drive-letter is created by the Windows Installer, by "borrowing" some RAM from your computer, and creating a "file-system" on this "virtual" disk-drive, and copying some files from your installation media onto the "X:" drive.
So, from where did you get the installation media?
It seems like the contents of the media contain the installer(s) for Azure.
to download, from Microsoft, the "generic" (not customized to include Azure) Windows Installer.
This app will create a "bootable" device, either burning one DVD-recordable disk, or writing to an empty 8 GB (or larger) USB memory-stick. So, disconnect the Ethernet cable from your computer, when running the Installer, and Windows will create a "local account". Without an Ethernet connection, no additional software can be downloaded/installed -- you will get a "clean" and "minimal" install of Windows.
> I also notice it says I'm connected to a domain.
That is not typical.
Again, the Windows Installer that you are repeatedly using seems to have been modified to automatically make that connection.
02-25-2022 06:07 AM
Yeah, thanks a lot for your help guys....I managed to get it a lot better by following all of your steps last night. I didn't even sleep, hahaha. But I installed the new BIOS, Then wiped it but it didn't seem to work. Then I read up on the TPM module or security chip...I went into windows settings, windows security, device security...and clicked security processor details, then troubleshoot security processor and I reset it. The computer restarted itself and it was much much better...I checked event viewer and now their security certificates aren't being approved by Windows. The Azure stuff was still there but I read up on disconnecting Azure...it said to change your computer name back to its original when Azure was introduced(I forgot original name though). I just changed the computer name randomly....then underneath it said I was part of a workgroup (called WORKGOUP)...so I just renamed that to WGROUP instead. It worked...I now have access to all the settings again and most of the azure stuff is gone but not all. There are certain services.msc that are from Azure (they're greyed out) and I can't erase them...and I'll bet registry stuff. I'm gonna re-download the windows installation media (I did get it from the same site u mentioned, but I don't remember exactly what parameters I set on it. This time maybe try burning it to a disc...I can tell this worked though...even my desktop looks different, and I have access to everything and I'm the administrator now. Thank you all a lot!
There is one more little tiny thing that I can't seem to get rid of and it's bad because it's redirecting my internet traffic I believe. When I do ipconfig /all...Theres this DNS suffix search list....hitronhome.hub. It's hard wired or something maybe in the registry or some advanced settings. I do have a Hitron router (shaw cable is coming to change it out)...but this is that Azure stuff. Same thing it said before things went south (it re-labelled computers and cellphones Hitronhub.home), so I'm scared it's trying to come back, My internet is extremely slow and certain websites won't come up at all. Any ideas how to set the DNS suffix??? I have gone into IPv4 and IPV6 properties and enabled everything but it doesn't seem to be in there...not sure? It might be in gpedit.msc under local policy group editor...but I find it very difficult to set up. Also, I never want to be connected to a work account or Azure AD ever again in my life (someone keeps installing that crap on my android cellphones too, and I have to throw them away). Any ideas of how to block connections to Azure or any other MDM if I'm not working and this is my personal home computer??? The more I google it...It seems virtually impossible. I thought of making my own MDM account somewhere (maybe Comodo)and enrolling my PC and phones/tablets maybe the Thanks soooo much for all your help I appreciate it a alot!!! I was really getting stressed out over all this, thank you guys.
02-25-2022 10:14 AM
@devildz204 -- I just changed the computer name randomly....then underneath it said I was part of a workgroup (called WORKGOUP)...so I just renamed that to WGROUP instead.
There is a difference between your computer being a member of a "workgroup", and your computer being enrolled into a Windows DC ("domain-controller"). That DC allows several features, including group E-mail, shared file-storage, and Microsoft Exchange Server. I doubt that your computer is part of a "domain".
There is one more little tiny thing that I can't seem to get rid of and it's bad because it's redirecting my internet traffic I believe. When I do ipconfig /all...Theres this DNS suffix search list....hitronhome.hub. It's hard wired or something maybe in the registry or some advanced settings. I do have a Hitron router (shaw cable is coming to change it out).
What you are seeing is common to all Shaw Internet customers who have the HITRON cable-modem.
If Shaw upgrades you to their Comcast XB6 or XB7 cable-modems, that name will change.
When your computer sends a DHCP-request to the cable-modem, the response includes that "hitronhome.hub" string.
Any cable-modem will return some string.
But, the value of the string does not "redirect" your Internet traffic, even though you have made that claim.
If you logon to the HITRON, you can change the "DNS Suffix" to any value of your choice.
The ID/password and method for the "logon" are printed on the label of the HITRON cable-modem.
What Internet speed is in your contract with Shaw?
When you run the Shaw Speed Test -- http://speedtest.shaw.ca
do the actual values match what is listed in your contract?
Run it at least twice, and report (here) each result.
Didn't find what you were looking for? Ask the community