2

So I tried to copy ~200MB worth of files to a blank CD and after starting that operation, I tried to move those files to a different folder on the internal SSD, which caused the CD write operation to fail, corrupt and make the CD unreadable, and Windows Explorer to freeze until I used Task Manager to force it to close and restart it. I did retry that operation on another blank CD, which appears to have all its data intact, so I think that operation completed successfully.

Anyway, I then tried to restart the computer which made it get stuck on the red "Lenovo" logo with the words "Press Enter to interrupt normal startup" for a few minutes (pressing Enter didn't do anything) until I restarted it again while repeatedly pressing Enter until I heard the beep.

I then tried to use the built-in repair tool, which prompted for my Bitlocker recovery key, so I decided to use the command prompt with sfc /scannow, which was unable to be performed, so I tried sfc /verifyonly, which confirmed that it found integrity violations.

So do you think my computer was hacked or was this just a botched Windows Update (update KB3194798 came out right before I tried to restart)? I've been hacked by China at least once or twice before in the past two years, but it doesn't make sense that a government hacker would modify system files if they knew that Secure Boot may or may not be enabled (which would reveal the hack for a questionable reward if they already had the ability to do that anway), so I think there's only a small chance this was an actual hack. Unless of course, they didn't expect the built-in BIOS Device Guard to be enabled and that was what caused it to refuse to boot into Windows?

And since everything except the kernel and the system files needed to show the login screen would be encrypted and therefore unreadable by the recovery OS, it's only a small number of files that could have been corrupted by a freezing Windows Explorer operation.

What can I do to further diagnose this problem without risking more data being leaked (assuming it was a hack) and/or the BIOS itself from being hacked (and forcing me to trash another $2000 machine)?

Summary of my setup: This is on a ThinkPad x1 Yoga running Windows 10 Pro with Secure Boot enabled - Built-in Device Guard (not the Windows 10 Device Guard) was enabled - Firmware password was enabled (but BIOS updating was enabled, though rollback prevention was enabled as well) - And of course, since I carry this thing around with me, Bitlocker with TPM and PIN was enabled, and I don't see how someone could have had physical access to the machine itself

Machine specs: i7-6600u with vPro 8gb RAM 1TB SSD Mobile broadband Wifi and Bluetooth was not disabled

UPDATE: I just disabled Device Guard in the BIOS (leaving every other setting untouched, including Secure Boot) and it asked me to type in my recovery key because Secure Boot settings were changed, so I changed the setting back. Then it still asked me for the recovery key, and after typing it in, Windows booted up successfully. Is that a bad sign? How would disabling and reenabling Device Guard "fix" the problem?

UPDATE 2: I just went back into the recovery OS and ran sfc /verifyonly and it still found integrity violations (keep in mind that it still can't access any files encrypted by Bitlocker), but I thought Secure Boot would have blocked Windows from booting up if it found problems with the kernel (which would check the other system files before booting)?

UPDATE 3: Today I went into the BIOS to disabled all wireless interfaces and logged into Windows and used sfc /verifyonly again, which didn't find any integrity violations, even though sfc /verifyonly in the recovery OS did find integrity violations (I just did it again to be sure)

enter image description here

user117279
  • 105
  • 5

1 Answers1

1

Many users tend to blame computer failure on getting "hacked", I'm glad that you are open to the possibility of it being something else. You very well could have been hacked.

From experience, when I have a problem like that, it is a botched or corrupted update. I had a little bit of connection trouble during an update, and somehow (maybe it didn't verify the md5) my computer just died. I did a fresh install, and everything worked again.

Considering you have bit locker, I would decrypt everything, then use another os to try to rescue all the files, then do a fresh install and put everything back.

I hope this answers your question, if not please tell me in the comments so I can fix my answer.

dGRAMOP
  • 280
  • 1
  • 9
  • Should I do the fresh install from the built in recovery partition or a Windows 10 Pro disc to be safe? It seems a bit weird that Windows wouldn't verify the hash of a system update. – user117279 Oct 12 '16 at 15:11
  • Or could I just use System Restore so I don't have to lose my apps and settings? Is it possible for the recovery partition or bootloader to be modified if there's a BIOS password? (though if I could boot up the recovery partition, I guess the bootloader wasn't modified because otherwise Secure Boot would have stopped that) – user117279 Oct 12 '16 at 15:13
  • If this were me, then I would delete and replace all files that I don't need. I might try to copy over some config files, but in case you were hacked, saving your files might be a safer way (but there is a chance that the virus infected one of the files that you want to copy over) – dGRAMOP Oct 12 '16 at 21:53
  • I don't understand why the hacker didn't just use make sfc /scannow in the recovery OS accept their own digital certificate as well though (I'm assuming that if the hacker could modify the bootloader or whatever it took to trigger Device Guard but not Secure Boot, he would be able to modify the recovery partition)? – user117279 Oct 12 '16 at 23:23
  • Depending on your level of paranoia (good): 1) Reinstall everything, keep files & config 2) Reinstall OS from seperate disk, keep files 3) Start over – dGRAMOP Oct 13 '16 at 02:21