I wanted a spare laptop for testing purposes. I did not want to spend a ton of money and after looking at a few different options, I found one in the Amazon Warehouse.
Cute little laptop, nothing special about it and the price was good so I bought it. Now I understood that it was used and was not sure what I would be getting but what I got was a hot mess.
I turned it on and the previous owner’s login page showed up. Now I could have reset the password and done some snooping but I do have pretty good morals so I opted to simply reset the machine.
So I opened up the Windows Recovery settings by holding down the shift key while clicking on restart and clicked on Reset This PC and then from a Local Installation. I chose to delete all previous data and let it run it’s course.
Once complete I ran through the Windows Set up and was shocked when Windows alerted me to a Virus. Yep, reset Windows delete all previous data except this Virus was still there. Important note: The Windows virus detector was unable to remove or quarantine it so I needed to find a way to remove it myself or return the device to Amazon, but I figured why turn down a learning opportunity.
So I did what any rational person would do, I opened an investigation and started keeping notes.
I input a prompt into WhiteRabbitNeo as follows:
I received a used laptop, I did a full reinstall of windows to remove all previous data, Windows Defender detected MSIL/Keylogger.A it has infected the following: C:\Program Files\Realtek\Audio\HDA\TAVCpl64.exe as well as regkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\RTHDVCPL AND runkey: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\RTHDVCPL – how do I remove this? Windows defender is unable to remove it and attempts to boot into safe mode result in inability to boot. unable to repair windows from windows recovery screen. Help
WhiteRabbitNeo is a nifty AI tool that is built for cybersecurity specific questions. This was it’s response:
To remove the malware from the registry and the C:\Program Files\Realtek\Audio\HDA\TAVCpl64.exe file, follow these steps:
- Boot into Safe Mode:
– Restart your computer and press the F8 key repeatedly until the Advanced Boot Options menu appears.
– Select “Safe Mode” and press Enter.
2. Open the Registry Editor:
– Press the Windows key and search for “regedit”.
– Click on “Registry Editor” to open it.
4. Navigate to the registry key:
– Expand the “HKEY_LOCAL_MACHINE” folder.
– Expand the “SOFTWARE” folder.
– Expand the “MICROSOFT” folder.
– Expand the “WINDOWS” folder.
– Expand the “CURRENTVERSION” folder.
– Expand the “RUN” folder.
5. Delete the “RTHDVCPL” registry key:
– Right-click on the “RTHDVCPL” key and select “Delete”.
6. Remove the malware file:
– Open File Explorer and navigate to the “C:\Program Files\Realtek\Audio\HDA” directory.
– Right-click on the “TAVCpl64.exe” file and select “Delete”.
7. Restart your computer:
– After deleting the registry key and the malware file, restart your computer normally.
Please note that the malware may have additional persistence methods, such as creating autorun entries or modifying system files, which may require additional steps to remove. It’s also important to run a full antivirus scan after removing the malware to ensure that it doesn’t come back.
If you’re still unable to boot into Windows after following these steps, it’s possible that the malware has corrupted the boot configuration or the Windows installation. In this case, you may need to perform a clean installation of Windows or use a recovery disk to restore your system.
- Remember, it’s crucial to avoid opening suspicious email attachments or visiting untrusted websites, as these can be a common way for malware to enter your system.
I followed the instructions to the letter and was able to remove the malware. But I wanted to make sure this thing was gone for good. So I again reinstalled Windows and removed all previous data – virus came back.
This thing had really embedded itself into the system.
I then went nuclear at this thing and created a Windows installation disk on a USB stick and completely reformatted the SSD drive.
The USB installation of Windows worked beautifully and upon running the virus scan no virus was detected!
So happy that worked!
So, now let’s talk about lessons learned.
First, DO NOT buy used equipment unless you know how to deal with potential issues. I could have returned this item, and I still might return it if anything else goes wrong, but I bought it to learn and it has already taught me a great deal.
Second, DO NOT immediately connect a used device to your network! Take your time and do some offline investigating before you connect it. This simple precaution could save you from a network intrusion or other type of attack like data theft.
Third, use ALL resources at your disposal. Whether that is an experienced friend, a trusted website or an AI LLM that is configured to deliver the information you need. Just find the resources and information that works for you and is from a trusted source.
Fourth, DOCUMENT the shit out of whatever you are doing! No matter what you are doing, document it. I know it’s an extra step for a home user and many will not see why you should add to your workload. But trust me, if you just take the extra few minutes to write what you are doing, copy links to the information you got, take screenshots, questions you asked and answers you received, you can go back to these notes for the rest of your life. Whether in a job or at home or give them to a friend who is facing the same issue. Your documentation will save you so much time. And, if you ever did need to seek professional Tech Support, you have a documented history of everything you have tried. This simple step will save them a huge amount of time too.
Is there anything I would do differently?
In my case, yes, when I initially configured the machine I did have it briefly connected to on of my guest networks. Now, this network is isolated and I use it for devices I really don’t trust, so I’m not really concerned about anything that could have been discovered. Also, it was apparently a keylogger and I did not enter any sensitive information or go to any website or anything so again, not concerned.
The only other thing I would have done differently is, had I had a large enough external drive, I would have copied the entire SSD drive and converted it to a VM that I could have run some more tests on. I would have liked to be able to analyze the network traffic that this thing would have generated. Alas, I did not have the resources to make that happen.
Overall, I am pleased with how things turned out. I learned a bunch and it gave me something interesting to write about.
Now your turn, have any of you had to deal with this type of malware? If so what did you do? How did you purge it from your system.
