Wow - very pervasive/aggressive "malware", can't solve

Folks - I have one single machine with the most pervasive, confounding "malware" effects I've ever dealt with in 30 years of work in tech. (And I even wrote some viruses and Trojans myself in everything from assembly to C++ in my early days doing formal study of operating systems.)

I also can't find out anything specific about a similar infection type here or on other forums.
This is a personal HP Pavilion X360 exclusively bought and provisioned for my daughter to use for virtual school work on our home network.

Initial behavior:

• When any version of Windows 10/11 is clean-installed after all partitions are deleted, Windows behaves fine when offline - I can manually install any number of KBs, BIOS updates, OEM drivers, etc. and I've tried maybe 5 different Windows ISOs from pre-21H1 through Win11 22000.71
• When initially offline, Malwarebytes / Emsisoft report no malware - even scanning for rootkits, even scanning with direct HD access
• When initially offline, SFC reports no integrity violations & chkdsk reports no errors

As mentioned above, BIOS update is applied - Bios name/revision match HP's latest specs.
I then pause Windows Updates and join a network.
The following behavior makes ZERO difference how many / which users / built-in Administrator account are set up on the machine.

Malware behavior:

• Within minutes of joining any network, User Account Control asks to be turned off and system restarted (similar to UAC is consistently turning itself off.). NOTE - I have manually changed computer name / static IPs/DNS settings repeatedly during each clean install process, so this is occurring regardless of the computer's specific IP when it joins.
• At this point, Malwarebytes reports Task Manager has been disabled; CMD has been disabled; Registry tools have been disabled - Emergency Kit reports the same findings. Neither tool reports specific malware.
• Upon next reboot, I get the old "user profile service failed the sign-in" - no restoration methods work from here on out

So...some kind of a RAT?
The only other thing I could think of is if it's not really malware, but some failed attempt by HP to install another driver, but you'd think it'd go through the correct chain of command.
I'm thinking of installing Fiddler right away too during the offline process and watching for what traffic is happening.

I don't have an answer, but I'm curious about exactly how UAC asks to be turned off.

Can you get a screenshot of that?

NMI said:

I don't have an answer, but I'm curious about exactly how UAC asks to be turned off.

Can you get a screenshot of that?

It does it in the background with no user interaction until the below message shows. And even without restarting, by this point it has already changed registry settings to disable almost all admin functionality - so without blocking or reverting the reg entries, the PC is toast until a clean install.


Anyway folks, I am now almost certain on root cause with the help of watching Fiddler: "lojack" - essentially OEM BIOS "malware" that is immune to hard drive refreshes, and is intended to be in the BIOS, so flashing doesn't help. This explains everything. Very clever/pervasive/aggressive:

1. As soon as the computer goes online, cprs.hp.com is contacted. Controlled Permission Reconciliation Service: Controlled Permission Reconciliation Service (CPRS) - Understanding Feature, What's New, Advantage, and Usage - Identity Manager Tips & Information - NetIQ Identity Manager
2. Next the computer contacts search.namequery.com for BIOS anti-theft / lojack mechanisms:
[SOLVED] namequery.com requests - Networking - Spiceworks
https://www.blackhat.com/presentatio...tkit-PAPER.pdf

Now I should explain what I hadn't even thought of until I discovered the above behavior. I bought this cheap PC for my daughter directly from Best Buy, but as an open box. When my wife went to pick it up, she saw it had a Best Buy user account on it. Of course Best Buy themselves wiped the machine when she showed them (and then I did the clean installs I mentioned), but they must have registered it somehow as one of theirs, or even a theft.

At least now I am on the right track to go back to Best Buy again. In the meantime I used hosts to block the two domains and may add more that I see come up in Fiddler.

- - - Updated - - -

Finally, here's the Fiddler proof of the PC communicating with some seemingly random IP (Telus) about the Absolute Computrace package.



HP doesn't have an option in the bios to disable this, but some manufacturers do, and there are apparently other hacks out there.
rootkits - Detecting and removing Absolute persistence technology - Information Security Stack Exchange

I don't know how long you have been grappling with this, but I would have been back to Best Buy for a refund in very short order! Since it survives a BIOS update, there must be something on the motherboard taking ultimate control (some of your links suggest that). As an anti-theft device it may serve its purpose, but I wonder if HP, Dell etc are still using it (was Computrace, now called Absolute)?

mngerhold said:

]Since it survives a BIOS update, there must be something on the motherboard taking ultimate control (some of your links suggest that). As an anti-theft device it may serve its purpose, but I wonder if HP, Dell etc are still using it (was Computrace, now called Absolute)?

Yes - it really is amazing how well this Absolute Computrace (lojack) works - and it's only gotten better since 2014 when this was written, but it gives you some idea: Absolute Computrace Revisited | Securelist

@Samuria - I am 100% certain it is Absolute/Computrace. The scans I ran with Farbar report nothing - no fix list items (and barely anything running since it's a clean install) - but then literally within a few minutes, the computer will be corrupted. Keep in mind that every detector whitelists this anti-theft "malware" behavior - and by the time the registry values are overwritten, it's too late because it's already disabled everything.
Further, I can prevent the behavior by overwriting ONLY the Absolute files (rpcnet/rpcnetp) and blocking the rpcnet services, but this has to be done repeatedly at startup, because Absolute is self-healing - amazing frankly: Absolute Support

@TairikuOkami - you're hitting on a great point. It's nearly impossible to determine malware from anti-theft "malware" behavior because Absolute behaves so much like malware, but yet it's whitelisted. It could have been compromised. The only good news is that the custom solution of continuously overwriting the files/preventing the service from running does prevent the access from continuing or the behavior from occurring - Fiddler is clean and registry is clean as long as you keep intercepting the rpc files.

And finally, back to you @mngerhold

mngerhold said:

I don't know how long you have been grappling with this, but I would have been back to Best Buy for a refund in very short order!

Yeah, I literally wrote about this in real-time yesterday, but the problem is that the behavior just started happening now, months past the warranty/return period, which really sucks. And only yesterday I discovered that Best Buy itself listing this as a stolen system is the culprit. So now it's difficult to find someone to get to undo the Absolute service, but I'm working on it. It used to be that you could also go directly to Absolute with your proof to remove, but they no longer allow it, and they make the corporate customer themselves (Best Buy) undo the theft notification.

jayinatlanta said:

Yeah, I literally wrote about this in real-time yesterday, but the problem is that the behavior just started happening now, months past the warranty/return period, which really sucks. And only yesterday I discovered that Best Buy itself listing this as a stolen system is the culprit.

You don't have the same consumer protection laws as we do in the UK, but I would say the item is not (and never was) fit for purpose. I assume you are talking to BB about it - its in their power to release the lock, or at least request Absolute to do so. From what I read of the links you provided, you otherwise don't have a hope. Good luck!

If your local Best Buy won't do anything, try to contact the corporation. They may do something, but often they won't, but contacting them is important for the next steps. Next, contact the Better Business Bureau. After that, contact your local TV news outlet — my favorite big guns to try if nothing else works out!

Usually, companies like Best Buy don't like bad news, especially when the news reports that they sold you a "stolen" computer that won't work. It's even possible that Best Buy is breaking a law (it depends on your Country, State/Province, etc). And some places have consumer protection agencies as well, which have the power to put things right and even fine companies for bad behavior. We have such agencies here in Canada, but it takes time for them to get to your complaint and do anything about it. That's why I prefer doing something much quicker with more shock and awe to get bad companies to notice — the news!

Your local TV channel is a better bet than your local written news paper. You might be thinking that they won't be interested, but ask anyway and they probably will be interested. And don't be afraid to go on TV, or fearing that others will judge you for being a complainer who likes to rock the boat — it will be alright, and you'll find a lot of people who'll cheer you own for standing up to Best Buy selling you a computer that they listed as stolen. TV works wonders for getting things done and settled. :)