Question Air-gapped laptop hacked / Need Help with windows 8.1 journals

[seekinghelp]

system journal evtx: http://pc.cd/Re2ctalK
security journal evtx: http://pc.cd/rxIctalK
application journal evtx: http://pc.cd/ruPitalK

Hello

For over a year now, I can't wiggle out from a hacker's grip. I have tried switching to a new computer, but it is still going on. What can I make out of this information?

Today I present you the old dell latitude d420 case:

I stripped this laptop of wifi cards and antennas, bluetooth module, dial-up modem, microphone, speakers, 3g chipset slot, pcmcia slot
I disconnected and reconnected the bios battery
I formatted the harddrive and reinstalled windows 8.1 pro, downloaded from microsoft, not activated.
I disabled windows update, remote desktop, deleted the first administrator account and created another one, turned on bitlocker.
I locked the screen (win+L) and came back 9 hours later.

At around the 7 hour mark (nobody was around to meddle with the laptop), 5-6 am on the logs, dodgy events happen; the mpksl386cdf00.sys update on windows defender and the certificate update worry me most. Keep in mind this is an isolated computer, in theory, and turned on but not being interacted with. I pasted those events here, and attached the full logs to this post (EDIT: I couldn't upload the journals along, I pasted links to download the journal files). I also pasted the hardware specifications at the end of the post



Information log

Un service a été installé sur le système.

Nom du service :  MpKsl386cdf00
Nom du fichier de service :  C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl386cdf00.sys
Type de service :  pilote en mode noyau
Type de démarrage du service :  Démarrage du système
Compte de service :

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
  <EventID Qualifiers="16384">7045</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2019-08-28T11:50:22.006796400Z" />
  <EventRecordID>226</EventRecordID>
  <Correlation />
  <Execution ProcessID="488" ThreadID="2196" />
  <Channel>System</Channel>
  <Computer>MonPC</Computer>
  <Security UserID="S-1-5-18" />
  </System>
- <EventData>
  <Data Name="ServiceName">MpKsl386cdf00</Data>
  <Data Name="ImagePath">C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl386cdf00.sys</Data>
  <Data Name="ServiceType">pilote en mode noyau</Data>
  <Data Name="StartType">Démarrage du système</Data>
  <Data Name="AccountName" />
  </EventData>
  </Event>

Security log:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+ <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
  <EventID>4624</EventID>
  <Version>1</Version>
  <Level>0</Level>
  <Task>12544</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8020000000000000</Keywords>
  <TimeCreated SystemTime="2019-08-28T11:49:15.195813700Z" />
  <EventRecordID>256</EventRecordID>
  <Correlation />
  <Execution ProcessID="496" ThreadID="528" />
  <Channel>Security</Channel>
  <Computer>MonPC</Computer>
  <Security />
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectUserName">WIN-4PICQFV9S23$</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
  <Data Name="TargetUserSid">S-1-5-18</Data>
  <Data Name="TargetUserName">Système</Data>
  <Data Name="TargetDomainName">AUTORITE NT</Data>
  <Data Name="TargetLogonId">0x3e7</Data>
  <Data Name="LogonType">5</Data>
  <Data Name="LogonProcessName">Advapi</Data>
  <Data Name="AuthenticationPackageName">Negotiate</Data>
  <Data Name="WorkstationName" />
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
  <Data Name="TransmittedServices">-</Data>
  <Data Name="LmPackageName">-</Data>
  <Data Name="KeyLength">0</Data>
  <Data Name="ProcessId">0x1e8</Data>
  <Data Name="ProcessName">C:\Windows\System32\services.exe</Data>
  <Data Name="IpAddress">-</Data>
  <Data Name="IpPort">-</Data>
  <Data Name="ImpersonationLevel">%%1833</Data>
  </EventData>
  </Event>

Application log

Mise à jour automatique du certificat racine tiers réussie : Objet : <CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US> Empreinte numérique Sha1 : <3679CA35668772304D30A5FB873B0FA77BB70D54>.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" />
  <EventID Qualifiers="0">4097</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8080000000000000</Keywords>
  <TimeCreated SystemTime="2019-08-28T11:53:14.829170600Z" />
  <EventRecordID>115</EventRecordID>
  <Correlation />
  <Execution ProcessID="920" ThreadID="2112" />
  <Channel>Application</Channel>
  <Computer>MonPC</Computer>
  <Security />
  </System>
- <EventData>
  <Data>CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US</Data>
  <Data>3679CA35668772304D30A5FB873B0FA77BB70D54</Data>
  </EventData>
  </Event>

This is an old latitude d420

Intel
®
Core™ Duo processor U2500 (1.20GHz)
945GMS (533MHz front side bus) with Intel onboard graphics
Min: 512MB DDR2 shared
1
533 MHz
Max: 1.5GB DDR2 shared
1
533 MHz
Wide-aspect 12.1” WXGA (1280 x 800 resolution) UltraSharp™
Supports up to a maximum resolution of WUXGA (1920 x 1200)
Intel
®
Graphics Media Accelerator 950 (up to 224MB shared)
30, 60GB
2
(80GB
2
post RTS)
87-Key US; key travel 2.5mm; key spacing 18.5mm
Touch Pad - PS/2 compatible, Track Stick - PS/2 compatible
High Definition Audio codec, mono speaker, 1.0W, integrated omni-directional microphone
H: 25.4mm/1.0” x W: 295mm/11.6” x D: 209.8mm/8.25”
Starting at 3.0Lbs/1.36Kg
11
65 Watt or 90 Watt AC adapter with cord wrapping
Primary 4-cell/28 WHr “Smart” Li-Ion battery featuring ExpressCharge™
Primary 6-cell/42 WHr “Smart” Li-Ion battery featuring ExpressCharge™
Primary 9-cell/68 WHr Li-Ion battery
56K
3
v.92 Internal Modem; 10/100/1000 Gigabit
4
Ethernet
Cellular Broadband
6
: (Only Available in the US)
Dell Wireless 5500 Mobile Broadband 3G HSDPA (Cingular US)
Dell Wireless 5700 Mobile Broadband CDMA EVDO (Verizon US)
Intel
®
PRO/Wireless 3945A/G (802.11a/g), Dell Wireless 1490 (802.11a/g), Dell Wireless 1390 (802.11g)
Dell Wireless 350 Bluetooth internal wireless card
One Type I or Type II
Support 34mm ExpressCard via a USB interface through PCMCIA adapter
SD card slot, IEEE1394, docking connector, 3 USB (one powered), VGA, headphone/speaker out, infrared port, RJ-11, RJ-45, AC power
Serial port, parallel port, VGA port, DVI port, 4 USB 2.0 ports, RJ-45 port, RJ-11 port, MIC in, HP out
9.5mm slim 24XCDRW/DVD or 8X DVD+/-RW

 

[hang-the-9]

Don't see a single thing wrong here. You may want to put in some details what this hacking was about and what the system actually does that is odd.

Defender and certificates trying to update is normal.

 

[seekinghelp]

This is not an update attempt, a new service was installed

Nom du service : MpKsl386cdf00
Nom du fichier de service : C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpKsl386cdf00.sys
Type de service : pilote en mode noyau
Type de démarrage du service : Démarrage du système

The reason Defender comes to mind is because the driver file was located in the Definition Updates folder, but it is not a definition update.

From the top of my head, on the Inspiron 15 3000 I have had the ProtonVPN client not requiring administrator credentials to start when starting it from an unprivileged user.
This application Requires to be run as an administrator.

On the Latitude 500m I have had very specific USB configuration issues: MTP devices failing to connect, Mass storage Devices failing to connect, vga port displaying garbled signal.

In all three I have had certificate issues on internet browsers, OS failing to boot, among many many other failures that can be attributed to software issues. Everything goes to normal after reinstalling, and eventually fail even without an internet connection.

 

[seekinghelp]

Many days ago I reinstalled windows 8.1 on the same computer. I picked up this MpKs?????????.sys file:
<Link removed by moderator>

 

[hang-the-9]

So what are you installing on this clean Windows setup? You also did not say what issues the system was having that makes you thing it's being hacked. If you are talking about USB issues and VGA issues, that would not be from any hacking, sounds like hardware issues on the system. Are you using the drivers from the laptop vendor?

Most "hacking"that people say is being done is just software issues. If the computer is just sitting there without internet connection, the only things that can get on it are things you install. Are you connecting a USB drive to it? Installing other software?

 

[seekinghelp]

By clean install I mean: formatted hard drive, reinstalled OS from an official image, didn't add any software, not even updates.

It is hard to believe I am having hardware issues on three different laptops at the same time. I find it is very strange for a computer on those conditions to have its hard drive wrecked one day, the replacement hard drive wrecked two days later and the SD card I was using as second replacement for solid storage wrecked two days afterwards that. That was using knoppix, and the SD was attached to USB2, not to SATA.

For the newest computer (inspirion 3560), I bought a replacement MOBO with a newer intel, but it is still acting up.

I would appreciate somebody direct me to a hardware hacking forum. This case seems beyond the scope of a power user.

 

[Spaceghaze]

By clean install I mean: formatted hard drive, reinstalled OS from an official image, didn't add any software, not even updates.

It is hard to believe I am having hardware issues on three different laptops at the same time. I find it is very strange for a computer on those conditions to have its hard drive wrecked one day, the replacement hard drive wrecked two days later and the SD card I was using as second replacement for solid storage wrecked two days afterwards that. That was using knoppix, and the SD was attached to USB2, not to SATA.

For the newest computer (inspirion 3560), I bought a replacement MOBO with a newer intel, but it is still acting up.

I would appreciate somebody direct me to a hardware hacking forum. This case seems beyond the scope of a power user.

Like you stated, you stripped the computer of everything that could connect it to the "outer world" - There is no chance that it can be hacked, exept having physical access to the computer.

I think you should really consider hardware issues.

Also just think about it, why would a hacker use his resources to hack pretty much outdated hardware?

 

[seekinghelp]

I think hacking thrills them. Just a guess, I am not one.

The thread is about the Latitude D420, but since you mentioned outdated hardware, let me add:

Two computers are outdated hardware, but the Inspiron 15 3560 is not. It started acting out since it was new. At some point the BIOS password stopped working, and the technicians at the Dell Reapair Center couldn't reset it, so they declared the motherboard was faulty and replaced it under warranty. However the computer kept acting out.

I decided to get the replacement myself. I ordered a replacement MOBO from a 3rd party.

First difference I noticed: Now I don't have 10+ HID (human interface devices) under Device Manager in Windows 10 that were recognized while using the other two MOBOs
I have no way to explain that since I am still installing from the same Windows 10 image, clean, without internet connection.

Second: now the Inspiron 15 doesn't act out UNLESS I connect it to the internet. I am greatly pleased by the improvement. I am guessing the hard drive has a rootkit, so I will not use it as a booting device and see how it goes from there.


I hope someone who knows a hardware hacking forum refer me or comment the case.

I now have a working computer. But the way those three different intel-powered-dell computers misbehaved is intriguing.

 

[Spaceghaze]

I think hacking thrills them. Just a guess, I am not one.

The thread is about the Latitude D420, but since you mentioned outdated hardware, let me add:

Two computers are outdated hardware, but the Inspiron 15 3560 is not. It started acting out since it was new. At some point the BIOS password stopped working, and the technicians at the Dell Reapair Center couldn't reset it, so they declared the motherboard was faulty and replaced it under warranty. However the computer kept acting out.

I decided to get the replacement myself. I ordered a replacement MOBO from a 3rd party.

First difference I noticed: Now I don't have 10+ HID (human interface devices) under Device Manager in Windows 10 that were recognized while using the other two MOBOs
I have no way to explain that since I am still installing from the same Windows 10 image, clean, without internet connection.

Second: now the Inspiron 15 doesn't act out UNLESS I connect it to the internet. I am greatly pleased by the improvement. I am guessing the hard drive has a rootkit, so I will not use it as a booting device and see how it goes from there.


I hope someone who knows a hardware hacking forum refer me or comment the case.

I now have a working computer. But the way those three different intel-powered-dell computers misbehaved is intriguing.

Quite interesting, but still its hard to believe that it has something to do with hacking. If there is no way the PC is connected to internet/bluetooth etc, it cant just be hacked out of the blue.

How about that win 10 image that you are using, is it from a safe source?

Guess you could try downloading this to a usb drive: http://liveupdate.symantec.com/upgrade/NPE/1033/NPE.exe

Do a rootkit scan.