cancel
Showing results for 
Search instead for 
Did you mean: 
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.Windows 11 Support Center.
  • post a message
u20210512
Level 1
11 3 0 0
Message 1 of 8
1,377
Flag Post

New PC Hacked After Securing BIOS and Before I load OS or Connect to the Internet

HP Recommended
M01-F1033wb
Microsoft Windows 10 (64-bit)

Hello,

 

I purchased a new computer on July 27th. I powered it on for the first time on July 28th, and after I secured the BIOS I observed the splash screen "Preparing for Automatic Repair." I powered off the computer. On July 30th, I accessed the System Recovery for the first time, and I believe to have found files and information about storage drives corrupted. I believe the computer is hacked. 

 

Before I describe my interactions with this computer so far, I believe is important to state I am the victim of persistent and ubiquitous hacking and harassment. In the last year, I purchased a laptops, and several phones which were hacked before I even connected these to the internet/Wi-Fi/Bluetooth. This why I decided to secure BIOS Setup, disable the Networking Adapter (or hide it as HP's BIOS configuration calls it) and enter the System Recovery boot menu before I loaded and created the first account of the OS (the ordinary way). I thought that by disabling the Wi-Fi and Bluetooth I could prevent hacking.

 

If you are wondering why I am choosing to try to get support via this community forum (and not through a web ticket, chat or a phone call), read the section "AN EXAMPLE OF MY INTERACTION WITH CUSTOMER SUPPORT" at the end of this post.

 

I purchased this computer on July 27th, 2021, and power it on the next day. I secured the BIOS through the set up by setting the administrator and power on passwords, configured a 20 seconds POST time, and hid the Network Adapter and USB ports with the exception of the keyboard and mouse. I wish the BIOS set up of your computers allowed us to hide the Bluetooth, but given that these do not, I wanted to disable the drive from the System Recovery menu. This is a bundled PC, so wired keyboard and mouse were included.

 

On July 28th, after I secured the BIOS, and when I rebooted it, after I enter the power on password, I saw a screen with the message "Preparing for Automatic Repair." This was unexpected and I immediately powered off the machine; this screen made no sense to me. Why would the computer begin to repair itself if I have not loaded the OS once?

 

I powered on the machine, and again, after I entered the power on password, the "Preparing for Automatic Repair" was displayed. I powered off the machine. I entered the BIOS Set Up again and confirmed the Network Adapter was "Hidden." I powered off the computer, and stopped using the computer for a couple of days.

 

On July 30th, I powered on the machine and was able to see the boot menu; I entered the "System Recovery" (F11) for the first time. At this time, I was vaguely familiar with the System Recovery environment of the Windows Operating System. When I entered it, I saw a blue screen with the heading "Continue," "Troubleshoot," and "Turn off your PC." When I selected Troubleshoot, I was presented with "Reset this PC" and "Advanced options." When I selected the latter, the page had another six options:

 

  • Startup Repair
  • Startup Settings
  • Command Prompt
  • Uninstall Updates
  • UEFI Firmware
  • System Restore

 

When I clicked any of these options, with the exception of UEFI Firmware, I was taken to a page that prompted me to "Choose an account to continue." Below it there was the text "Administrator," and further down, "Forgotten your password or can't see your account?"

 

In this video you can see my experience when I select the Command Prompt:

 

 

At the time, I did not know that Windows comes with a default Administrator account. So I was looking for information over the internet about this Administrator account and why it exists without me having it created. In fact, I posted my question to this forum: https://h30434.www3.hp.com/t5/Desktop-Operating-Systems-and-Recovery/On-a-New-PC-I-Have-Not-Loaded-t...

 

Once I learned that the Administrator account comes by default, is active, and has a blank password in new systems, I was able to enter the command prompt. After I clicked Troubleshoot > Advanced options > Command Prompt, I was redirected to another blue screen and a command prompt window appeared with the title Administrator: X:\windows\system32\cmd.exe Again, this video shows what I observed: https://www.youtube.com/watch?v=fEfmZGIepU4 

 

After I disabled the Bluetooth device (pnputil /disable-device ...), I began to explore the files and drives through the file explorer that opened when I wanted to open a text file from notepad (I realized this environment was a graphic user interface and allowed me to use the mouse).

 

I saw there were three drives, Windows (C), Windows RE tools (D), Boot (X). And as I explored the files, I noticed that many folders were dated back to December 6th, 2019, so I ran the command "sfc /SCANNOW," and I got the message

 

"Windows Resource Protection could not perform the requested operation."

 

I navigated back to the first blue screen, and I selected the "Reset This PC" option and "Remove Everything."

 

I observed the progress of this reset, which started around 1950 hrs. By 2150 hrs the progress was at 68%, and at 2202hrs, progress jumped from 68% to 100%.

 

When the computer rebooted, and I again entered System Recovery, I saw newer options to choose from:

 

  • Continue (Exit and continue to Windows 10)
  • (new option) Use another operating system (Continue with another installed version of Windows)
  • Troubleshoot (Reset your PC or see advanced options)
  • Turn off your PC

I was confused by the "Use another operating system" option, and when I selected it I saw three options:

 

  • Windows Recovery Environment
  • Windows 10 (On volume 3)
  • Windows 10 (On volume 3)

I navigated back, and entered Troubleshoot > Advanced options > Command Prompt. This time, I no longer saw the administrator account listed; instead, the command prompt window readily opened without a title (as compared to the Command Prompt window title I saw the first time I accessed this utility; i.e., "Administrator: X:\windows\wystem32\cmd.exe.")

 

I opened a text file, and through notepad's file explorer I began to explore the drives, and I noticed the C and X drives, no longer had the "Administrator" folder under the Users path.

 

As I continued to explore the folders and files of the X drive, I recorded this video: 

 

 

The video's lasts over 8 minutes, and below, I indicate the timing of events I care to highlight:

 

@0:10 I clicked the Command Prompt utility from the Advanced Troubleshooting options, and I no longer saw the window's title. The command prompt window was missing the "Administrator: X:\windows\system32\cmd.exe" I'd observed before I "Rest this PC" and "Delete Everything."


@0:43 I invoked "whoami," and I was redirected to the System Recovery top menu. I got back to the Command Prompt utility, and again I invoked "whoami" to have the same thing happen again.


@1:19 I entered the newly listed submenu item "Use another operating system" top menu option and saw the options:

 

  • "Windows Recovery Environment"
  • "Windows 10 on volume 3"
  • "Windows 10 on volume 3"

Notice the two instances of Windows 10 on volume 3.


@1:40 I entered the Advanced Troubleshoot utility System Restore, and I was not able to see the text within the window that popped up.


@2:59 I entered the Advanced Troubleshoot utility Startup Repair. The splash screen appeared with the text "Diagnosing your PC," which later changed to "Applying repairs."


@4:06 The computer restarted


@6:10 I entered the "Use another operating system" top menu item, and I continued to see the options "Windows Recovery Environment" and "Windows 10 on volume 3" twice.


@6:36 I clicked the Command Prompt utility from the Advanced Troubleshooting options, and although I am not presented with the Administrator account, nor asked to entered a password, the Command Prompt window has the title "Administrator: X:\windows\system32\cmd.exe"

 

In this other video, I do a more extensive and deeper exploration: 

 

 

The video begins once I am already in the System Recovery environment, and it is important I repeat that contrary to the times I accessed the Advanced Troubleshooting utilities before I "Reset the PC" and "Delete everything," I was no longer presented with the "Administrator" account nor required to enter a password.

 

Below, I indicate the timing of events I care to highlight:


@0:09 The System Recovery environment's Advanced Troubleshooting utility Command Prompt's window has the title "Select Administrator: X:\windows\system32\cmd.exe"


@ 0:17 cmd whoami returns "whoami is not recognized as an internal or external command, operable program or batch file."


@0:50 I could not open file explorer, but through file explorer that pops up when I am opening a file through notepad, I was able to see the graphic representation of files, folder, and drives.


The storage drives appeared as:

 

  • C: 908GB free of 930GB
  • D : 60.9MB free of 553MB
  • X: 505MB free of 507MB


Given that I observed many files and folder in the X drive, the command prompt window title indicated I was operating from this drive, I want to emphasize that given the allocated and free space of this drive, implies that ONLY 2MB are used. In other words, the content size amount to 2MB

@01:17 I explore the (X:) drive which has a directory like:


Program Files
Program Files (x86)
sources
Users
Windows


After seeing this file structure I struggle to believe this is only 2MB of content.


@01:21 The Users\Administrator folder is missing from both C and X drives. I saw these before I reset the PC and deleted everything (Is this a factory reset?).


@01:40 Folders in X:\Users\Public had a Date modified of 12/6/2019. I purchased this computer on July 27th, 2021. I powered it on for the first time, secured the BIOS, and observed the "Preparing for Automatic Repair" on July 28th. I accessed the System Recovery boot menu for the first time on July 30th.


@01:52 Files and folder of X:\Windows Date modified ranges between 12/6/2019 and 7/30/2021


@02:55 Properties of file X:\Windows\system.ini


@03:56 Properties of X:\Windows\System32\CodeIntegrity\driverspolicy.p7b are missing the Security and Digital Signatures tabs.


@05:46 X:\Windows\System32\Dism\DismCorePS.dll's properties has the first Digital Signatures tab I see. The Details tab indicated the File description as "DismCore Proxy Stub," and its Original filename as DismProxPS.DLL.


@07:25 X:\Windows\System32\DriverStore\FileRepository has folders and files with Date modified ranging from 12/6/2019 through 5/11/2021


@08:05 X:\Windows\System32\DriverStore\FileRepository\c_bluetooth.inf_amd64_7e49a68f06c14d10\c_bluetooth.inf, with a Date Modified of 12/6/2019, properties was missing the Security and Digital Signatures tabs. And when I opened it, I read "DriverVer = 06/21/2006,10.0.19041.1"


@10:36 X:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_32a9ad23c1ecc42d\c_net.inf, I read again the "DriverVer = 06/21/2006,10.0.19041.1"


I could not help to think that it seemed wrong that I buy a PC on July 2021 with drivers from 2006.

 

@14:48 msinfo32 System Information's panel indicated that "Device Encryption Support Reasons for failed automatic device encryption: Un-allowed DMA capable bus/device(s) detected, Hardware Security test interface failed and device is not Moder" ... From researching this message, I gathered the ending of that sentence would have been "device is not Modern Standby."


@16:35 I continued to review the drives C, D, and X through the System Information panel


The size and content of the X drive make no sense.

Where are the bootloader managers and EFI BOOT files?

Why is the Boot drive an NTFS file system?


@18:14 The D Drive (Windows RE Tools) contained only one folder and two files; Recovery.txt's (size 0KB), and Recovery\_CNBRP_FLG (size 1KB).


Allocated and free space information about the D drive made no sense.

 

@19:32 The properties of X:\Windows\System32\sfc.exe (System Integrity Check and Repair), Date modified of 12/6/2019, lacked the Security and Digital Signature tabs.


I invoked "sfc /SCANNOW" and the command prompt window reports:


Beginning system scan. This process will take some time.

 

Beginning verification of system scan.
Verification 100% complete.

 

Windows Resource Protection could not perform the requested operation.

 

@22:47 When I ran sfc as administrator, a window flickers.

 

In conclusion, I believe the computer was hacked after I secure the BIOS and despite the facts I have not loaded the Operating system once, nor connected this device to the internet, not even sniffed a Wi-Fi device, nor created a user account, and despite I "Reset this PC" and "Delete Everything."

 

I would value any feedback

 

AN EXAMPLE OF MY INTERACTION WITH CUSTOMER SUPPORT

 

All of my computing is hacked, including my phones, and in the last couple of years I have been unable to get real technical support that leads to solutions from Google Fi, Microsoft, Google Chrome, etc. Whenever I contact customer support through chat, the conversation evolves into a loop without answers, and I believe I am not chatting with a real customer support representative. For example, a week after I created a personal Microsoft account, I realized a second school/work had been created (not by me), and when I reached to chat customer support to figure this out, the rep dismissed my question and focused on the background information I gave (a previous conversation I had with another rep about my account being locked).

 

This video shows how I realized there was an additional account associated to my email: https://www.youtube.com/watch?v=HpSAVABMM3A

 

I recorded the computer's screen while I chatted, and this is a long video https://www.youtube.com/watch?v=bhSpGs-qZeg, but below I list the and link the points I care to be noticed:

 

 

Given that the conversation went nowhere, I submitted a support request through email, to which I received a response that lead me to submit another email to abuse@microsoft.com. However, when I researched this email address, I learned Microsoft retired it back in 2005.

 

In this video I display the email I sent and received: https://www.youtube.com/watch?v=WOZYNWyIBE8 

Webpages stating abuse@microsoft.com has been retired from service:

 

 

So, I did not get support; I believe I am unable to reach support through chat, phone, or email. I won't get into the phone calls, but there is also impersonation. I explain all of this because I believe you may be wondering why I chose to explore WinRE in the new computer of which I speak in this post. Why I chose to explore the System Recovery menu option as opposed to powering up the computer and setting up in the ordinary way.

by Hacked.By.Former.Employer@gmail.com @cybertrapped This is a new HP Computer that was infected after I secured the BIOS set up, and before I loaded the operating system (OS), therefore no accounts created. This video illustrates the files, drives and problems I experienced while exploring the ...
7 REPLIES 7
Dragon-Fur
Level 16
Level 16
37,050 22,034 3,441 12,402
Message 2 of 8
Flag Post
HP Recommended

@u20210512 

 

My Opinion based on having read a small portion of your message:

There is nothing we can do about constant and extended hacking attacks on your technology.

The extent to which you say you have been victimized is beyond the scope of this Community.

 

 

Request for Review

 

  • I have submitted a request that our Community moderators review your question / concern.

 

Worth Noting

  • Our Community is not an HP business group.
  • We are not HP Technical Support, nor are we HP Sales, Service, or Warranty.
  • Our request for assistance on your behalf does not influence the outcome:  Our request is not a magic back door into HP Support.
  • The time frame (how long it takes) for a response is not controlled by the Community.
  • If / When there is a response, a Community moderator / agent will (should) post back on this thread before using other methods to contact you. 

 

Important

  • Do not contact random numbers posted in a public or private message by “new members”.  Vermin are looking for victims – don’t be next.
  • Please do not post any personal or case information here - we cannot make use of the data. 
  • Posting personal information at a public site increases your risk from rats and scammers.

 

 

 

Dragon-Fur

Was this reply helpful? Yes No
Jay_G24
HP Support Agent
HP Support Agent
20,478 20,397 1,602 1,908
Message 3 of 8
Flag Post
HP Recommended

Hi @u20210512,

 

I'd like to help!

 

Please look for a private message from me requesting additional information. Keep in mind not to publicly post personal information (serial numbers and case details).

If you are unfamiliar with how the Community's private message capability works, you can learn about that here.

 

Hope this helps! Keep me posted. 

 

And, Welcome to the HP Support Community. 

 

Please click “Accept as Solution” if you feel my post solved your issue, it will help others find the solution.

Click the “Kudos, Thumbs Up" on the bottom right to say “Thanks” for helping

Was this reply helpful? Yes No
u20210512
Author
Level 1
11 3 0 0
Message 4 of 8
Flag Post
HP Recommended

Dragon-Fur, I imagined you can not help me with persistent harassment and hacking, but I am wondering why are the machines vulnerable during the set up phase? 

Was this reply helpful? Yes No
u20210512
Author
Level 1
11 3 0 0
Message 5 of 8
Flag Post
HP Recommended

Thank you Jay_G24, but I have returned the computer. 

Was this reply helpful? Yes No
Jay_G24
HP Support Agent
HP Support Agent
20,478 20,397 1,602 1,908
Message 6 of 8
Flag Post
HP Recommended

I respect your decision.

 

 If you need further assistance feel free to reach out to us.

 

Have a great day ahead!

 

Please click “Accepted Solution” on my public post if you feel my post solved your issue, it will help others find the solution. Click the “Kudos/Thumbs Up" on the bottom right to say “Thanks” for helping!

Was this reply helpful? Yes No
Nessa48
New member
1 1 0 1
Message 7 of 8
Flag Post
HP Recommended

I for one really appreciated how you laid this out.  I also was hacked, coincidentally on July 27th.  They have disabled every computer, phones, tablets, even my car.  Drained my accounts.  I got a new HP All in One for my office and tonight that computer had the Network Adapter uninstalled when I was just a little too close to figuring out where I needed to be to fix the user issue.  Ugh.  So frustrating.  I look forward to watching the videos.  This has consumed my life, and I have zero time as it is.  So thank you.  

Was this reply helpful? Yes No
hippedup
New member
1 1 0 0
Message 8 of 8
Flag Post
HP Recommended

what a great post to a never ever looping life changing experience i am currently 8 months into my journey with very little progress and its ruined my life, id love to speak to the OP or anyone else who been thru this 

Was this reply helpful? Yes No
Warning Be alert for scammers posting fake support phone numbers and/or email addresses on the community. If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation