So I’m not the most tech savvy or experienced when it comes to these things. I have a Dell XPS 13 laptop which I believe became infected sometime in the past week. I think I caught it early by sheer luck but I still think my pc might be screwed.
So basically around 3 or 4 days ago I noticed my google results were off. Instead of the usual results prioritizing big name sites, I started seeing lots of the same obscure sites repeatedly on the front page despite barely relating to my queries. Lots of SEO optimizing, reach the front page type results. So I jump on my other computer and compare results. Sure enough they don’t match and I start googling how to get rid of redirect viruses. I downloaded all the standard removal stuff and use it and while 0 threats were found in Malwarebytes and Rkill and all the others, my comp did seem to improve.
Next day I was just messing around on the computer, I turned on network discovery and lo and behold, there’s a completely unknown router on my WiFi. I try to kick them out but they are sorted as Network Infrastructure and I can’t do anything. I reset my router network and sign in as admin and when I get in I notice all kinds of messed up settings letting them control it remotely and all that fun stuff. Next thing I know I get kicked. I spend the next three hours trying to win control back of my router to no avail so I give up for the night and unplug/power down everything.
Well the next day I don’t even bother turning on my router, just dig into the comp looking for weirdness. I find about six users in the registry and they have folders with a lot of suspect filenames with words like “trace” and “inject” and “target” in them. Check my firewall rules and they’ve been completely redone to let anyone through remotely. I try to restore them to default but now the default is the hacker setup. So I just delete them all and block all connections in and out.
I debated for a bit what to do and decided to just do a clean install. I go to my Windows settings to remind myself of all the recovery options and they’ve all been removed except the UEFI one, which seems both suspect and convenient. So I click it and it restarts me into the BIOS, which is now way different than before and has no option to boot from usb anymore. There’s options to shutdown cores, audio, and plenty more. Also options to set an array of hierarchical passwords and to toggle permissions and whatnot. There’s an expert key management tab and I can toggle functionality of secureboot, TPM, hyperthreading, etc.
I basically have no idea what to do. It almost seems like I cut connection and got to the rootkit before it had enough time to really screw me and I was able to stumble upon their bios kit and get an insiders look. At the same time I feel like this could be more of a trap to lure me in and I don’t really know whether my other computer got infected or what login stuff they have. I know this is all pretty vague but i’m happy to answer any specifics and take any advice. I’m typing this up on my phone cuz i’m afraid to try the other comp for fear it’s compromised.
The stats I can remember off the top of my head:
Dell XPS 13 9000 series
Intel i5 processor (quad core @2.5)
128gb Sandisk ssd
8 gb ram
Windows 10 home edition
I’ll post more specific details when I get home. I have no idea why someone would target a broke incompetent college student with such a sophisticated virus but at least I have something exciting to do for spring break. So yeah, is there anything that can be done or am I just living with a BIOS infecting root until I can afford a new comp?
So basically around 3 or 4 days ago I noticed my google results were off. Instead of the usual results prioritizing big name sites, I started seeing lots of the same obscure sites repeatedly on the front page despite barely relating to my queries. Lots of SEO optimizing, reach the front page type results. So I jump on my other computer and compare results. Sure enough they don’t match and I start googling how to get rid of redirect viruses. I downloaded all the standard removal stuff and use it and while 0 threats were found in Malwarebytes and Rkill and all the others, my comp did seem to improve.
Next day I was just messing around on the computer, I turned on network discovery and lo and behold, there’s a completely unknown router on my WiFi. I try to kick them out but they are sorted as Network Infrastructure and I can’t do anything. I reset my router network and sign in as admin and when I get in I notice all kinds of messed up settings letting them control it remotely and all that fun stuff. Next thing I know I get kicked. I spend the next three hours trying to win control back of my router to no avail so I give up for the night and unplug/power down everything.
Well the next day I don’t even bother turning on my router, just dig into the comp looking for weirdness. I find about six users in the registry and they have folders with a lot of suspect filenames with words like “trace” and “inject” and “target” in them. Check my firewall rules and they’ve been completely redone to let anyone through remotely. I try to restore them to default but now the default is the hacker setup. So I just delete them all and block all connections in and out.
I debated for a bit what to do and decided to just do a clean install. I go to my Windows settings to remind myself of all the recovery options and they’ve all been removed except the UEFI one, which seems both suspect and convenient. So I click it and it restarts me into the BIOS, which is now way different than before and has no option to boot from usb anymore. There’s options to shutdown cores, audio, and plenty more. Also options to set an array of hierarchical passwords and to toggle permissions and whatnot. There’s an expert key management tab and I can toggle functionality of secureboot, TPM, hyperthreading, etc.
I basically have no idea what to do. It almost seems like I cut connection and got to the rootkit before it had enough time to really screw me and I was able to stumble upon their bios kit and get an insiders look. At the same time I feel like this could be more of a trap to lure me in and I don’t really know whether my other computer got infected or what login stuff they have. I know this is all pretty vague but i’m happy to answer any specifics and take any advice. I’m typing this up on my phone cuz i’m afraid to try the other comp for fear it’s compromised.
The stats I can remember off the top of my head:
Dell XPS 13 9000 series
Intel i5 processor (quad core @2.5)
128gb Sandisk ssd
8 gb ram
Windows 10 home edition
I’ll post more specific details when I get home. I have no idea why someone would target a broke incompetent college student with such a sophisticated virus but at least I have something exciting to do for spring break. So yeah, is there anything that can be done or am I just living with a BIOS infecting root until I can afford a new comp?