Victim of complex, clever APT going on 13 months, cannot secure any device or domain or email, or phone or anything, including new purchases, instantly compromised. Thinking of suicide now...

Hello. I am the unfortunate victim of a very clever APT that has led to me having to close down my charity law firm for the poor, and as no one would help me, I then spent all my equity and savings and even debt and borrowed so much it is impossible to recover, in my alone effort to learn about networks and use toolbox Kali and Tails and lots of microsoft and any secureity tools I could find, and always with compromised devices, instantly, and so it has been a horrible education where I fight and discover with broken tools, and I have discovered and learned a lot these 13 months, but also have gone from wealthy to closing 3 of my 4 businesses, including all charity projects, and the last of my businesses is dying, and I cannot produce economically in this compromised state, and am victim of much financial fraud and it is too much to even try to catch up and audit and notice, and I have been hospitalized multiple times this year and probably because I have been sleeping only every other day and in constant stress over this and the fact I cannot get even one device to be exclusively mine and secure and I have root control. None. Even if I go and buy one. And I did that many times, many ways, every tactic I could think of, and exhausted my cleverness, and my ideas, and have copies and lots of digital evidence, and even probably most of the malicious code---none was easy to obtain or find, but I have, and I have I am sure plenty of logs, code, and so on, that someone who knew these technologies and jargon professionally could definitely understand how this horrible awful, shockingly persistent and perfectly targetted at me hackerware hell works and maybe could create a countermeasure. I cannot. And I feel pain in my chest and heart, and I am only 31 and was before this a champion swimmer and a charity lawyer and now I am in ruins, and have nothiing, and I am just as imprisoned and cyber raped by day and night, and alienated socially as friends and relatives do not believe such malicious malware or cyber attack possible, but I have proven 95% of my claimed observed syptoms, which replicate always the same, and in same ways, and if anyone actually used this, or experienced it, they would know how terrible it is. And I lost everyone, and everything, and I have never worked harder, nor longer, nor had to be more clever, nor toiledmore, nor been more desperate any year of my life, and I gained lots of knowledge, lots of hackerware code and evidence and specific evidence, and mor, and logs and logs, and discovered emebedded strings and malicious code in unlikely files, like pictures, and scripts and desktop.ini is a negative value and it seems to be in every folder, and near any folder will not let me in unless I get clever about taking ownership, and /or using a live distro like tails can give me a more honest glimpse of the file system but even it and my linux laptop is deviant, and permissions changed, devices that were private now take policy, every time i install windows or buy a windows laptop I see in the GUI that the IIS is not enabled buut in fact 100% of the time it is, along with some folder wwwroot, and the whole experience of the OS feels so limited and I said once it was as though I live in a docker container, or else it is a snapshot that is virtualized and replicates, and later found evidence of both happening. Also, you don't need wireshark and ettercap to note the mutating urls as php and sql from god knows where always injects, but I tested and confirmed. And so I will list the primary areas that are always compromised and you then may understand how and why it has been impossible for me--and attorney who had no prior technical kowledge, but could write the blue and red field manuals from memeory now and can BASH with anybody, and knows every tool in Kali and a bit of some others, and a lot now about configurations and deployments and enterprises and the panther files especially the setup act log is very much clearly in plain language obvious it deploys in this same wretched specific very customized way, including modifying or creating some 30,000 entries in the registry, every single cert ca store is wrong and with asinine certificates and the only revocation list says from 1994 and in fact does not revoke anything, it adds more trusts, and some sloppiness the certificates if able to be seen, occasionally will have an active link on the "statement" of publisher and will have a verisign root that has a statment from an entirely separate company or a known alleged CA publisher will have a misspelling of name, or whatevr, but what is key is that a lot of services that nobody would want in this combination, except a malicious remote controlling unknown hostile truly mean person, and each service has its own store set, and all are insane and irrevocable crazy certificates, a 3rd level, minor certificate upon close inspection will have actually more power than god, and can do anything anywhere, cotntrol encryption, encrypt dom0, control tpm, anything. And so the devices are taking olicy and orders and so on, and even in sysprep which I cannot even make it do, but I can get it into audit mode (but by then sysprep has run eenough times the damage is there, present, and irreparable) and I cannot be secure online either as I am, I discovered, not just subject to constant injection and bad roots of trust on all devices, and provisioning and more and worse, but I am also under attack by any web applications and/or APIs and I admit I am not even expert enough to say th difeerence, but I can tell you from testing, and observation, and lots of pain and hell and torment and struggle, that many many APIs are NOT kind to me, including the OAuth2 which does identify me, and of course, it is used, and abused, and so are many many other APIs and I am not a programmer nor a developer, it is a lucky thing I can use BASH and pre-made modules in Kali or else I would not have found most of what I have found. But here I am, now more than a year later, lost most anybody in my life that I valued, and lost essentially 4 startups, including 2 charities, I made and were succeessful and I was proud, but now 3 are dead and 1 on life support and likely to be bankrupt and close also, and myself I went from having a good life style and comfortable income from my many enterprising efforts to the depths of poverty with so much debt and in fcat creditors and alleged debts in numbers you cannot imagine which I havenever used, nor heard of, and between all APIs and online threats, and the law email I had was stolen and google never gave it back, and it to this day is now a "service account" and I am always told by google who does not care a bit that sensitive information is in there, including about children, as I was helping families dealing with divorce, and myself recently abandoned then and divorced, anyways so that information which needed protection, and I had protected it, but then, one day, all my financial accounts, my publishing accounts, my domains, my emails, everything, taken. And I got some back. But not that one. And I even begged and threated lawsuit (that I have no time or means or ability to even file as I am now so destitute) beggeding and demanding they either give it back or else destroy it, because children are vulnerable and google does not respond and does not care, and any person if I ever can get anyone to talk to me, just says to use the go/recover or whatever it is, but I have copies of injection and code from "temp files" that, are anything but, coookies,  and APIs and whatnot httponly get json token and I do not know the client secret not have any ability to take or asert control, and so some companies gave me my accounts back over months of process, but some have not. And I hate that after I have essentially done everything possible I could think of and spent and sacrificed so much, and aged probably 30 years, and in fact... if it went away today... I don't even know if I have the health or energy, and certainly no longer the financial ability, to even recover. And... I had been so hopeful and tries so very hard. Just want to be free. Even on one damned device. From that maybe I could fight back and take back. But no, always deprived of me. or any affor that seems to be working ends up undone by replication or by being this separate, parralel memory state or something, like fake, and I am at the end of my rope. And I can feel it in my body that I am not in good health, and I have nothing, and everyone I valued in my life is gone, and my clients I was helping pro bono all of them suffered when I was forced to withdraw the cases, and I think one or two may even have died. And ... I ... I think, if a year ago, I knew I would still be here a year later, except having given and spent and tried everything and been broken and unsuccessful and lost so much.... I ... would rather have died. By any means. Drawn and quartered, anything would be better than this year...

I am not here seeking pity. I am wondering every day why not put a .45 hollowpoint in my brain stem, (which I am sure would be the best way, if that was how I was going to go) or otherwise just hook up some callibration hydrogen and a rebreather mask, or a damn shopping bag and just , inhale pure nitrogen and pass out and peace finally. Peace. My god. ... But I won't. I hope. ANd I think I was at that feeling as long ago as February and... I tried getting help from the state authorities and one had trouble talking to me as at that time I was having a MitM issue with both the browser and the device which I thought was my router and had my router's name, but turned out to be a hiden hotspot stuffed in the case of one of my desktops and was branded T-Mobile...

I have changed geography, devices, ISP, VPNs, and more, and tried everything. I promise you I was never free for even one second. Always contained. Always imprisoned. And unable to just even work in peace and try and rebuild a new business or save one of mine, but no... too much to ask. And now I am alone. Literally. And have nothing.
Richard SandersAsked:
Who is Participating?
 
btanExec ConsultantCommented:
I am not sure how much can be helped. Just sharing what I can best appreciate below.

For the logs, there is nothing unusual as they are usage log and likely same for WindowsRT
With Windows 8 (.NET 4.5), a new NGen mode: "Auto NGen" has been introduced. Basically, the .NET runtime generates usage logs for managed applications. When the system is idle, an automatic maintenance task runs in the background and generates native images. This way developers no longer have to deal with NGen explicitly. Note that this feature is only enabled for .NET 4.5+ applications that target Window Store or use the GAC...... Every time the application run it creates a new type of logs called “Assembly Usage Logs” in the AppData windows directory..NET runtime lifecycle with NGen managed applications
https://eknowledger.wordpress.com/2012/05/04/clr-4-5-net-framework-kernel-improvements/

Also Windows kernel can support Linux running through use of Windows Subsystem for Linux (WSL). It is a collection of components that enables native Linux ELF64 binaries to run on Windows. It contains both user mode and kernel mode components. Assuming if this WSL exist, then you should also find kernel mode drivers (lxss.sys and lxcore.sys) in your machine. They are responsible for handling Linux system call requests in coordination with the Windows NT kernel. As for the folder of the Systemd found in the .wim, it may be some installation leftover - not certain what created those though.
https://blogs.msdn.microsoft.com/wsl/2016/04/22/windows-subsystem-for-linux-overview/


For the INetCookie/container.dat, that replaces index.dat  with IE10 and Windows7. There is also past naming of it as "WebCacheV24.dat". It is large size as it stores all cache/history information. May want to try  BrowsingHistoryView
The browsing history table includes the following information: Visited URL, Title, Visit Time, Visit Count, Web browser and User Profile. BrowsingHistoryView allows you to watch the browsing history of all user profiles in a running system, as well as to get the browsing history from external hard drive.
http://blog.nirsoft.net/2012/12/08/a-few-words-about-the-cache-history-on-internet-explorer-10/
http://www.nirsoft.net/utils/browsing_history_view.html


Nothing much on the phone.inf but you can see the activation center matches and I would have thought you are referring to %WINDIR%\Inf\Setupapi*.log which used to log Plug and Play device installations. The flagged "setupactlog", I supposed it is "setupact.log". This contains debugging messages from the Kernel-Mode Driver Framework coinstaller, which is a Microsoft Win32 DLL that assists in device installation. yet another big file that is used for troubleshooting Windows installation When a failure occurs in Windows Setup, review the entires in the Setuperr.log file, then the Setupact.log file, and then other log files as appropriatehttps://www.microsoft.com/en-sg/Licensing/existing-customer/activation-centers.aspx
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/ee851579(v=ws.10)
0
 
Jackie ManCommented:
Do you have a backup of your data?
2
 
yo_beeDirector of Information TechnologyCommented:
Love the one liner suggestion after that lengthy very detailed outline novel of a question.  

What I would recommend is systematically work form the ground up.

A few questions:
1: Do you have a central file storage (NAS or SAN)?
2: Are all your machines Windows OS.
3: How are you see that your system is compromised. Something as clever as you outlined seems like it would want to remain hidden.  
4: What is the code purpose?
5: Is this a domain (Active Directory) infrastructure?
6: Have you tried WIRESHARK?

If you have a NAS I would start with all systems off accept your NAS then boot a single clean fresh machine and see if you see this machine stays stable or is it compromised immediately  as you have already experienced. If the system stay clean you can start to assume that the threat is not located on the NAS.  From there I would start up one server at a time and monitor the effects.

From my point of view you will need to rebuild everything from the ground up.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
btanExec ConsultantCommented:
Rebuild and move on. Since you mentioned APT and the elaborate attack suffered, you would have also alerted the authority. Backup and recovery is essential especially in the case of ransomware attack if you are hit by it. I would eventually suggest you go into a managed security provider with your hosted data managed by external provider,  it will quickly get you up running and not be worried on the control implementation. There is still a nominal fees if you can still handle it.

But it would seems the "when" happened and it is rather difficult for you and team to become the incident responsers effectively. Let others manage for you then. It is alright to be hit but it is how you can recover quickly. Think through again. And not give up. We learn from lesson and I believe your experience will be a valuable one to the community and your future. If it does not work out to rebuild and recover, get a job with a security centric cloud provider and venture into it to learn the ropes and eventually be a user of it...and come back to contribute to the masses again.
2
 
Richard SandersAuthor Commented:
I will now answer your questions directly, and I have log files and weird ass files available upon request if you want, I have capture4d much of the malicious code and even broke some of the databases myself with math (only ones relying on font changes and they can be broken with basic 14th century frequency analytics--I am kind of a huge probability/stats/econometrics guy. And I purposefully had had my law firm harddrive using NOT the ellipses standard of encryptioon but the factors of huuuuge primes, and my cypheralgor8ithm could not be derived without seeming to be random and the cypher itself was like 40 random characters only I knew--and I recently found a keylogger so now I am thinking... oh.... so much for a mathematics front door that is a gate of 10,000 meters of tungsten....
0
 
Richard SandersAuthor Commented:
REBUILD AND MOVE ON IS NOT POSSIBLE, I WILL EXPLAIN WHAT I KNOW FARTHER DOWN BUT THIS IS A HUGE PROBLEM TO ME AS I HAVE REBUILT THREE TIMES< FROM SCRATCH< AND NEVER ESCAPED. (A total of 14 laptops and 6 desktops) and more routers and such than you can imagine, and 10 phones at least. and tried using T-Mobile, Verizon, Google-Fi, and currently on Sprint and not safer, but cheaper
0
 
Richard SandersAuthor Commented:
STATE AUTHORITY AND I EXCHANGED EMAILS (with great difficulty thanks to MitM but I did not know that was cause then) and be was useless, would not meet me, would not visit, would not allow me to visit, would not allow my sending him anything by US Mail (much more secure than poisoned DNS with many redirects...) and he expected me to demonstarte all of this, prior to my technical knowledge with 3 screenshots, aka how many bitmapsfit in an attachment. So.... they suck. Now thinking maybe FBI but fear will not be taken seriously
0
 
Richard SandersAuthor Commented:
I want to also thank you all for joining the topic and hearing me and voicing ideas... I have felt so horribly lonely these 13 months and have lost friends, and become extremely isolated and alienated and that has made my life a living hell. So thank you all, even if we do not solve it, I am hugely grateful your even looking at it and voicing thoughts. I really do appreciate it. And thank you.


QUESTIONS & ANSWERS

Q: What I would recommend is systematically work form the ground up.
A: I would love to, and have tried, and am actually quite expert at all of Kali, some subraph, tails--easy, and have tried to get a good install of black arch but it fails. Anyway even my Kali, does not have correct finger prints but after 100s of tries at least it will run some of the tools... but I have only broken tools, and there is this certificate propogation that poisons any device, even a clean from microsoft usb installer, and I have interruped at early as possible (audit mode as built in admin just prior OOBE but sysprep has run a bunch, and can confirm the registry changes 30k of them happen in sysprep, as recorded by setupact log, and the cert root certificates are just some combo of damned hilarious (3rd level untrusted [but the system is trusting it and you cannot revoke it] that can do literally "anything" including change power state so the machine will not poswt, or encrypt dom0 with like a fork of vericrypt, control TPM, etc.

So I have thooroughly exhausted the idea of new hardware and software and have discovered that locally I am attacked and reduced in permission and online the same, but via middleware and API abuse and some 53 webapps that I cannot even identify yet

A few questions:
1: Do you have a central file storage (NAS or SAN)?
A: No. I( had the install media on dvds and on usb drives, but they have become corrupted, including the DVDs which I had believed to be finalized DVD-Rs but they have new files on them which is weird, and I cannot explain. But my business and my home were just my own private devices. Not they are provisioned and taking policy and have confirmed that but will resist any notion they are "domain joined" but all run the local server, and all users are treated as remote users, unchangeably, including built in admin object. I get the sense of a "shasred PC" and "shared permissions" with some mal actor who has greaterpermissions than I do but I cannot find.

Some hypothesis now confirmed and captured their files:
1. ADAM folder and install qand silent uninstall of policy (yes, captured folder in audit mode and captured events in event scheduler)
2. Possibility of use of "puppetware" especially ansible and gradle? (Yes, have found both, hidden, quite well, but have confirmed both occur.) and have copies.
3. Disguised SQL embedded and injection and PHP threats? (Confirmed) in windows AND wireshark.
4. I have used various live distros of linux for investigative purpioses e.g. Tails was great for seeing the files that were under the files I could not access in Windows, whether I attempted to modify security permissions or not, and copy things. Kali has been pretty awesome but really only a few of its tools have felt relevant or at least to me. Maybe if I were better. I honestly have been messing with trying to change the bootloader from some "PXE" environment of "//?/bunch of crazy90-4893j949n843934890n to something sensible, or change the environment variables so I feel less contained or paravirtualized, and I have some indication one or both is happening.

**Strangest finding but unconfirmed: Sophos Trial of its pro software, while I had access, believed the Windows 10 Pro to be actually Windows RT. Not been able to experiment further.

Note: have found many .elf files and .lock files; but the file "desktop.ini" is littered everywhere. Oh and if I attack the registry and mess with its security in order to do so, it heals instantly, and I think it puts me in a side-by-side memory state, as if I did not matter.
2. All Windows OS?
A: Yes and no, mainly yes but I had the coreboot libre purism 13 and it showed compromise very rapidly despite the kill switches being in kill position, and I have no clue how (no USB evil maid even had a chance to run or be in it) and I can only describe its "compromise" as 67% certain, and seems to require the remote access (common element, this cannot be revoked on any) and its apparent vulnerability was IRC chat of all things. I cannot explain further.
3: How are you see that your system is compromised. Something as clever as you outlined seems like it would want to remain hidden.
A: of yeh, a majority of all files, and folders, are added the permission "Everyone: Deny" and so removing that will often allow access, but the severe ones I have been able to see using OS linux or changing the owner in permissions to say built in admin and then enabling him and logging in as him-->there is a ton of group policy customization that has occcured but the computer insists it does not follow group policy or directory, but it definitely 100% does. Just will not let me near it; and in Power Shell which was used to rapidly execute much of this, I find everything to be aliased and lots of things have the name (bigendian-littleendian-littleendian-bigendiean) but as number sequences, so... I hope maybe that means something?

I also was able to get a thorough look at the system, any of them from from initial cold boot ctrl+shift+f3
Q: code purpose?
A: Unknown. Middleware, & API control, and hostile drivers and more.
5: A: it behaves as one but the "adam folder" rapidly silently uninstalls in OOBE while cortana is doing her garbage.
6: Love wireshark. Ettercap my other lover.  

I havfe private ownership of what were intended not policy or runtime or managed devices, ergo I have no network ppl or other network infrastructure. I tried to build a custom network of my own design but was poisoned by permissions/bad-certs. Was to be Untangled->FreeBsd(nginx reverse proxy on top; any iptable if possible carefully configured)-->fortinet expired box running pfsense, configured->various APs each 1 zone, 1-3

BUT sadly I have not been able to build it due to permissions violations.... ALSO have been seeing "cloudos" and "cloud deploy" recently in reference to this replicating state.
0
 
Richard SandersAuthor Commented:
want me to select a couple of logs or other oddities for upload and maybe that will be helpful? Or at least interesting?
0
 
Richard SandersAuthor Commented:
most AM/AV solutions are useless bc the evil agent (unknown) will get beneath the kernal, misconfigure it, which is allowed, make it horrible, then they either lack permissions, take instruction not to scan certain i/o and mapped ram, etc, and or otherwise see the kernal hand a wrong instruction to a software piece, via a legitimate method..... I need awesome hueristics and so far the best have been 1. Win/Sysinternals tools, but not any good at repair, 2. Sophos,but maybe false positive with the whole WinRT detection, and Webroot business (the priciest one) it correctly flags many things but cannot do anything for lack of permission, even when run as admin
0
 
Richard SandersAuthor Commented:
Random one from a difficult to find, hidden, and permission blocked xml that I was able to eventually read but not delete or modify of course....


I figure it is important but that is beyond me and I have so sos o much of stuff that... taking requests.....

"<?xml version="1.0" encoding="utf-8"?>
<!--
    Categories from the enum:
    ContentCategory::Provisioning
    ContentCategory::Reboot
    ContentCategory::Languages
    ContentCategory::Drivers
    ContentCategory::InitialCustomization
    ContentCategory::Applications
    ContentCategory::Certificates
    ContentCategory::UxLockdown
    ContentCategory::Security
    ContentCategory::Content
    ContentCategory::Legacy
    ContentCategory::Connectivity
    ContentCategory::Scripts
    ContentCategory::DeviceName
    ContentCategory::UpgradeWindowsEdition
    ContentCategory::DeviceManagement
    ContentCategory::Policies
    ContentCategory::PowerSettings
    ContentCategory::CleanPC
    -->
<categoryxml>

  <Provisioning>
    <ForceSettingReload>
      <category name="Reboot" />
      <error code="0" messageID="Reboot successfully scheduled." />
    </ForceSettingReload>
    <Assets>
      <category name="Content" />
    </Assets>
    <TrustedProvisioners>
      <category name="Certificates" />
    </TrustedProvisioners>
    <Enrollments>
      <category name="DeviceManagement" />
    </Enrollments>
  </Provisioning>

  <ProvisioningCommands>
    <category name="Scripts" />
  </ProvisioningCommands>

  <AADJ>
    <category name="DeviceManagement" />
  </AADJ>

  <Accounts>
    <Domain>
      <ComputerName>
        <category name="DeviceName" />
        <error code="0" messageID="Device name set successfully." />
      </ComputerName>
    </Domain>
    <category name="Security" />
  </Accounts>

  <RootCATrustedCertificates>
    <category name="Certificates" />
  </RootCATrustedCertificates>

  <APPLICATION>
    <category name="InitialCustomization" />
  </APPLICATION>

  <AppInstall>
    <category name="Applications" />
  </AppInstall>

  <EnterpriseAssignedAccess>
    <category name="UxLockdown" />
  </EnterpriseAssignedAccess>

  <EnterpriseModernAppManagement>
    <category name="Applications" />
  </EnterpriseModernAppManagement>

  <Policy>
    <category name="Policies" />
    <error code="0" messageID="Policies applied successfully." />
    <error code="86000011" messageID="Policy is not allowed." />
  </Policy>

  <WindowsLicensing>
    <category name="UpgradeWindowsEdition" />
    <error code="0" messageID="Windows successfully upgraded." />
  </WindowsLicensing>

  <ClientCertificateInstall>
    <PFXCertInstall>
      <category name="Certificates"/>
    </PFXCertInstall>
  </ClientCertificateInstall>

  <CM_CellularEntries>
    <category name="Connectivity" />
  </CM_CellularEntries>
  <CM_ProxyEntries>
    <category name="Connectivity" />
  </CM_ProxyEntries>
  <CMPolicy>
    <category name="Connectivity" />
  </CMPolicy>

  <ActiveSync>
    <Accounts>
      <category name="InitialCustomization" />
    </Accounts>
  </ActiveSync>
  <EMAIL2>
    <category name="InitialCustomization" />
  </EMAIL2>

  <MCSF>
    <category name="InitialCustomization" /> <!-- applies to all MCSF -->
    <OOBE>
      <error code="0" messageID="OOBE successfully configured." />
    </OOBE>
    <InternetExplorer>
    </InternetExplorer>
    <Messaging>
    </Messaging>
    <NFC>
    </NFC>
    <Shell>
    </Shell>
    <Theme>
    </Theme>
    <Policies>
      <category name="Policies"/>
    </Policies>
    <Power>
      <category name="PowerSettings"/>
    </Power>
  </MCSF>


  <WiFi>
    <Profile>
      <category name="Connectivity"/>
    </Profile>
  </WiFi>


  <SecurityPolicy>
    <category name="Policies"/>
  </SecurityPolicy>

  <BrowserFavorite>
    <category name="Content" />
  </BrowserFavorite>

  <CustomDeviceUI>
    <StartupAppID>
      <category name="InitialCustomization"/>
    </StartupAppID>
    <BackgroundTaskstoLaunch>
      <category name="InitialCustomization"/>
    </BackgroundTaskstoLaunch>
  </CustomDeviceUI>

  <AllJoynManagement>
    <Firewall>
      <PublicProfile>
        <category name="InitialCustomization"/>
      </PublicProfile>
    </Firewall>
  </AllJoynManagement>

  <UnifiedWriteFilter>
    <category name="UxLockdown" />
  </UnifiedWriteFilter>

  <SecureAssessment>
    <category name="UxLockdown" />
  </SecureAssessment>

  <SharedPC>
    <category name="InitialCustomization" />
  </SharedPC>

  <Personalization>
    <category name="UxLockdown" />
  </Personalization>
  
  <AssignedAccess>
    <category name="UxLockdown" />
  </AssignedAccess>
  
  <DeveloperSetup>
    <category name="InitialCustomization" />
  </DeveloperSetup>

  <DMAcc>
    <category name="DeviceManagement" />
  </DMAcc>

  <DMClient>
    <UpdateManagementServiceAddress>
      <category name="DeviceManagement" />
    </UpdateManagementServiceAddress>
  </DMClient>

  <People>
    <Phonebook>
      <category name="Content" />
    </Phonebook>
  </People>

  <NetworkProxy>
    <category name="Connectivity"/>
  </NetworkProxy>

  <NetworkQoSPolicy>
    <category name="Connectivity"/>
  </NetworkQoSPolicy>

  <SurfaceHub>
    <category name="InitialCustomization"/>
  </SurfaceHub>

  <WindowsTeam>
    <category name="InitialCustomization"/>
  </WindowsTeam>

  <VPNv2>
    <category name="Connectivity"/>
  </VPNv2>

  <EnterpriseAPN>
    <category name="Connectivity" />
  </EnterpriseAPN>

  <CleanPC>
    <category name="CleanPC" />
  </CleanPC>
</categoryxml>
"

Open in new window

0
 
Richard SandersAuthor Commented:
and any effort to boot live into Parted Magic, gets hijacked.... and also the boot and nuke not so effective since ssd.... and windows diskpart and utilities not formatting it
0
 
Richard SandersAuthor Commented:
this one is from something called phone.inf and I admit not to understand it but I can guess at what it might be....



ALSO guest is forced by policy, and cannot change, certutil will not run, and guest hypervisor v control is not able to be removed among other changes

[Version]
Signature = $Chicago$

[IsoCodes]
AFG,,,%Afghanistan%,%not_available%,(971) (4) 391 7000,%not_available%
ALB,,,%Albania%,%not_available%,355 04 45 15 151,%not_available%
DZA,,,%Algeria%,%not_available%,+213 21 89 10 70,%not_available%
ASM,,,%American_Samoa%,%not_available%,+ 61 2 9870 2131,%not_available%
AND,,,%Andorra%,%not_available%,(33) (1) 7226 6080 %FRENCH%  %or% (34) (91) 114 1464 %SPANISH%,%not_available%
AGO,,,%Angola%,%not_available%,(351) 214 154 065,%not_available%
AIA,,,%Anguilla%,1-866-993-9301,1 3054189144,%not_available%
ATA,,,%Antarctica%,%not_available%,+ 61 2 9870 2131,%not_available%
ATG,,,%Antigua_and_Barbuda%,1-866-647-2707,%not_available%,%not_available%
ARG,,,%Argentina%,0-800-999-4617,11-5032-0177,%not_available%
ARM,,,%Armenia%,%not_available%,+374 10 541082 %(Moscow_Russia)%,%not_available%
ABW,,,%Aruba%,%not_available%,+1-305-603-4466,%not_available%
AUS,,,%Australia%,1800 642 008 %or% 13 20 58,+61 2 9870 2131 %or% +61 2 9870 2200,%not_available%
AUT,,,%Austria%,(0) (800) 000 000,(43) (1)795 673 56,%not_available%
AZE,,,%Azerbaijan%,%not_available%,01 24 37 35 555,%not_available%
BHS,,,%Bahamas%,1-866-317-5700,%not_available%,%not_available%
BHR,,,%Bahrain%,(800) 04500,(971) (4) 391 7000,%not_available%
BGD,,,%Bangladesh%,%not_available%, + 65-6324-8098,%not_available%
BRB,,,%Barbados%,1-800-534-3365,%not_available%,%not_available%
BLR,,,%Belarus%, (8) (820) 0071 0003,(7) (495) 745 5445 %(Moscow_Russia)% %or% +43 (0)179567029 %or% +43 0179567028,%not_available%
BEL,,,%Belgium%,(0) (800) 40758,(32) (2) 401 2650,%not_available%
BLZ,,,%Belize%,%not_available%,+1-305-603-4466,%not_available%
BEN,,,%Benin%,%not_available%,+225 20 24 24 90 ,%not_available%
BMU,,,%Bermuda%,1-866-263-1098,%not_available%,%not_available%
BTN,,,%Bhutan%,%not_available%,(65) 6324 8098,%not_available%
BOL,,,%Bolivia%,800 100 359,%not_available%,%not_available%
BON,,,%Bonaire%,00-1-866-322-0524,%not_available%,%not_available%
BIH,,,%Bosnia_and_Herzegovina%,(0) (800) 20 230,(387) (33) 606 100,%not_available%
BWA,,,%Botswana%,%not_available%,27 11 844 6011,%not_available%
BVT,,,%Bouvet_Island%,%not_available%,(47) (23) 162 126,%not_available%
BRA,,,%Brazil%,0-800-888-4081,%not_available%,%not_available%
IOT,,,%British_Indian_Ocean_Territories%,%not_available%,27 11 844 6011 ,%not_available%
BRN,,,%Brunei_Darussalam%,%not_available%, +84 (4) 3935-1053 %or% +65 6324-8098,%not_available%
BGR,,,%Bulgaria%,(0) (800) 1 5555,(359) (2) 965 7100,%not_available%
BFA,,,%Burkina_Faso%,%not_available%,+225 20 24 24 90,%not_available%
BDI,,,%Burundi%,%not_available%,+225 20 24 24 90,%not_available%
KHM,,,%Cambodia%,%not_available%, +84 (4) 3935-1053 %or% +65 6324-8098,%not_available%
CMR,,,%Cameroon%,%not_available%,+225 20 24 24 90,%not_available%
CAN,,,%Canada%,855-801-0109,%not_available%,%not_available%
CPV,,,%Cape_Verde%,%not_available%,(351) 214 154 065,%not_available%
CYM,,,%Cayman_Islands%,1-866-263-7308,%not_available%,%not_available%
CAF,,,%Central_African_Republic%,%not_available%,+225 20 24 24 90,%not_available%
TCD,,,%Chad%,%not_available%,+225 20 24 24 90,%not_available%
CHL,,,%Chile%,800-330-600,%not_available%,%not_available%
CHN,,,%China%,800 830 1832,400 830 1832,%not_available%
CXR,,,%Christmas_Island%,%not_available%,+ 61 2 9870 2131,%not_available%
CCK,,,%Cocos_Islands%,%not_available%,+ 61 2 9870 2131,%not_available%
COL,,,%Colombia%,01-800-051-0595,%not_available%,%not_available%
COM,,,%Comoros%,%not_available%,27 11 844 6011 ,%not_available%
COG,,,%Congo_(DRC)%,%not_available%,+225 20 24 24 90,%not_available%
COK,,,%Cook_Islands%,%not_available%,+ 61 2 9870 2131,%not_available%
CRI,,,%Costa_Rica%,0-800-012-1446,%not_available%,%not_available%
CIV,,,%Cote_D'Ivoire%,%not_available%,+225 20 24 24 90,%not_available%
HRV,,,%Croatia%,(0) (800) 300 300,(385) (1) 789 0300,%not_available%
ANG,,,%Curacao_(formerly_Netherlands_Antilles)%,00-1-866-322-0524,%not_available%,%not_available%
CYP,,,%Cyprus%,(800) 90 900,+357 22 67 4000,%not_available%
CZE,,,%Czech_Republic%,(0800) 100-074,(420) 225 990 844,%not_available%
DNK,,,%Denmark%,(807) 01315,(45) 38 487 131,%not_available%
DJI,,,%Djibouti%,%not_available%,+225 20 24 24 90,%not_available%
DMA,,,%Dominica%,1-866-993-9311,%not_available%,%not_available%
DOM,,,%Dominican_Republic%,1-888-751-2323,%not_available%,%not_available%
TMP,,,%East_Timor%,%not_available%, + 65-6324-8098,%not_available%
ECU,,,%Ecuador%,1-800-258-025,%not_available%,%not_available%
EGY,,,%Egypt%,%not_available%,+202 3 5393333,%not_available%
SLV,,,%El_Salvador%,800-6744,%not_available%,%not_available%
GNQ,,,%Equatorial_Guinea%,%not_available%,+225 20 24 24 90 ,%not_available%
ERI,,,%Eritrea%,%not_available%,(254) 20 286 8800,%not_available%
EST,,,%Estonia%,(800) 2230,(372) 686 8820,%not_available%
ETH,,,%Ethiopia%,%not_available%,(254) 20 286 8800,%not_available%
FLK,,,%Falkland_Islands_(Islas_Malvinas)%,%not_available%,+1 305 603 4466,%not_available%
FRO,,,%Faroe_Islands%,%not_available%,(45) 38 487 131,%not_available%
FJI,,,%Fiji%,%not_available%,+ 61 2 9870 2131,%not_available%
FIN,,,%Finland%,(0) (800) 770 215, 358 98 17 10 400,%not_available%
FRA,,,%France%,(0) (805) 110 235,(33) (1) 7226 6080,%not_available%
GUF,,,%French_Guiana%,%not_available%,+1-305-603-4466,%not_available%
PYF,,,%French_Polynesia%,%not_available%,(33) (1) 7226 6080,%not_available%
ATF,,,%French_Southern_Territories%,%not_available%,(33) (1) 7226 6080,%not_available%
GAB,,,%Gabon%,%not_available%,+225 20 24 24 90,%not_available%
GMB,,,%Gambia%,%not_available%,+225 20 24 24 90,%not_available%
GEO,,,%Georgia%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)%,%not_available%
DEU,,,%Germany%,(0) (800) 2848-283, (49) (89) 2444 5093,%not_available%
GHA,,,%Ghana%,%not_available%,+234 127 10 156,%not_available%
GIB,,,%Gibraltar%,%not_available%,(44) (870) 2411 963,%not_available%
GRC,,,%Greece%,(800) 1143 100,+30 211 123 6500,%not_available%
GRL,,,%Greenland%,%not_available%,(45) 38 487 131,%not_available%
GRD,,,%Grenada%,1-866-993-9312,%not_available%,%not_available%
GLP,,,%Guadeloupe%,%not_available%,+1-305-603-4466,%not_available%
GUM,,,%Guam%,%not_available%,61 2 9870 2131,%not_available%
GTM,,,%Guatemala%,1-801-130-0100,%not_available%,%not_available%
GIN,,,%Guinea%,%not_available%,+225 20 24 24 90 ,%not_available%
GNB,,,%Guinea-Bissau%,%not_available%,(351) 214 154 065,%not_available%
GUY,,,%Guyana%,%not_available%,+1 305 603 4466,%not_available%
HTI,,,%Haiti%,%not_available%,193 / PIN 3141,%not_available%
HMD,,,%Heard_Island_and_Mcdonald_Islands%,%not_available%,61 2 9870 2131,%not_available%
HND,,,%Honduras%,800-2791-9299,%not_available%,%not_available%
HKG,,,%Hong_Kong%,%not_available%,+852 2904-2198,%not_available%
HUN,,,%Hungary%,(06) 800 18749,(36) (1) 267 4636,%not_available%
ISL,,,%Iceland%,(800) 8236, +354 510 6925,%not_available%
IND,,,%India%,1800 1111 00 %or% 1800 102 1100,91 80 40103000,%not_available%
IDN,,,%Indonesia%,001 803 657 668,+65 6324-8098,%not_available%
IRQ,,,%Iraq%,%not_available%,(971) (4) 391 7000,%not_available%
IRL,,,%Ireland%,(1) (800) 930 031,(353) (1) 447 5390,%not_available%
ISR,,,%Israel%,(1) (800) 350 444,(44) (870) 2411 963,%not_available%
ITA,,,%Italy%,(800) 531 042,(39) (02) 3604 6340,%not_available%
JAM,,,%Jamaica%,1-800-647-2701,%not_available%,%not_available%
JPN,,,%Japan%,0120-801-734,+81-3-6831-3460 %(Tokyo)%,%not_available%
JOR,,,%Jordan%,(800) 22 731,(962) (6) 5503451,%not_available%
KAZ,,,%Kazakhstan%,(8) (800) 0801001,(7) (727) 298 0126,%not_available%
KEN,,,%Kenya%,%not_available%,(254) (20) 286 8800,%not_available%
KIR,,,%Kiribati%,%not_available%,+ 61 2 9870 2131,%not_available%
KOR,,,%Korea%,+82 2 567 7881,1577-9700,%not_available%
KWT,,,%Kuwait%,%not_available%,(965) 2243 1071,%not_available%
KGZ,,,%Kyrgyzstan%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)%,%not_available%
LAO,,,%Lao_Peoples_Democratic_Republic%,%not_available%, +60 (3) 771 24 671 %or% +84 (4) 3935 1053,%not_available%
LVA,,,%Latvia%,(802) 00920,(371) (67) 852 112,%not_available%
LBN,,,%Lebanon%,%not_available%,(961) (1) 974 035,%not_available%
LSO,,,%Lesotho%,%not_available%,27 11 844 6011,%not_available%
LBR,,,%Liberia%,%not_available%,+225 20 24 24 90 ,%not_available%
LBY,,,%Libya%,%not_available%,(218) (21) 3330356,%not_available%
LIE,,,%Liechtenstein%,%not_available%,(41) (44) 580 7558,%not_available%
LTU,,,%Lithuania%,(800) 22032,(370) 520 511 20,%not_available%
LUX,,,%Luxembourg%,8002 99 77,(33) (1) 7226 6080 %FRENCH% %or% (49) (89) 2444 5093 %GERMAN%,%not_available%
MAC,,,%Macao_SAR%,%not_available%,+ 852 2904-2198,%not_available%
MKD,,,%Macedonia_(FYROM)%,%not_available%,(389) (2) 3090 890,%not_available%
MDG,,,%Madagascar%,%not_available%,27 11 844 6011,%not_available%
MWI,,,%Malawi%,%not_available%,27 11 844 6011,%not_available%
MYS,,,%Malaysia%,00 800 2468 1668,+65-6324-8098,%not_available%
MDV,,,%Maldives%,%not_available%, +65-6324-8098,%not_available%
MLI,,,%Mali%,%not_available%,+225 20 24 24 90 ,%not_available%
MLT,,,%Malta%,(800) 65 432,%not_available%,%not_available%
MHL,,,%Marshall_Islands%,%not_available%,+ 61 2 9870 2131,%not_available%
MTQ,,,%Martinique%,%not_available%,+1-305-603-4466,%not_available%
MRT,,,%Mauritania%,%not_available%,(212) (22) 95 61 53,%not_available%
MUS,,,%Mauritius%,%not_available%,(230) 202 8120 ,%not_available%
MYT,,,%Mayotte%,%not_available%,(61) (2) 9870 2131,%not_available%
MEX,,,%Mexico%,01-800-527-2000,%not_available%,%not_available%
FSM,,,%Micronesia%,%not_available%,(61) (2) 9870 2131,%not_available%
MDA,,,%Moldova%,%not_available%,(4) (021) 203 61 53,%not_available%
MCO,,,%Monaco%,(0) (805) 11 02 35,(33) (1) 7226 6080,%not_available%
MNG,,,%Mongolia%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)%,%not_available%
ME,,,%Montenegro%,%not_available%,(381) (11) 3305 500,%not_available%
MSR,,,%Montserrat%,1-866-993-9316,%not_available%,%not_available%
MAR,,,%Morocco%,(0801) 000 809,212 5 22 95 61 50,%not_available%
MOZ,,,%Mozambique%,%not_available%,(351) 214 154 065,%not_available%
MMR,,,%Myanmar%,%not_available%, +84 (4) 3935-1053 %or% +65 6324-8098,%not_available%
NAM,,,%Namibia%,%not_available%,+264 61 292 5016,%not_available%
NRU,,,%Nauru%,%not_available%,+ 61 2 9870 2131,%not_available%
NPL,,,%Nepal%,%not_available%, +65-6324-8098,%not_available%
NLD,,,%Netherlands%,(0) (800) 023 3487,(31) (20) 713 9240,%not_available%
NCL,,,%New_Caledonia%,%not_available%,(33) (1) 7226 6080,%not_available%
NZL,,,%New_Zealand%,0800 676 334,%not_available%,%not_available%
NIC,,,%Nicaragua%,001-800-220-1804,%not_available%,%not_available%
NER,,,%Niger%,%not_available%,+225 20 24 24 90 ,%not_available%
NGA,,,%Nigeria%,%not_available%,(234) (1) 27 10 156,%not_available%
NIU,,,%Niue%,%not_available%,+ 61 2 9870 2131,%not_available%
NFK,,,%Norfolk_Island%,%not_available%,+ 61 2 9870 2131,%not_available%
MNP,,,%Northern_Mariana_Islands%,%not_available%,+ 61 2 9870 2131,%not_available%
NOR,,,%Norway%,(800) 56 615,(47) (23) 162 126,%not_available%
OMN,,,%Oman%,80073332,(968) 2444 6487,%not_available%
PAK,,,%Pakistan%,%not_available%,(92) (21) 11167 4357,%not_available%
PLW,,,%Palau%,%not_available%,+ 61 2 9870 2131,%not_available%
PSE,,,%Palestinian_Authority%,%not_available%,(962) (6) 462 6969,%not_available%
PAN,,,%Panama%,00-1-800-507-1885,%not_available%,%not_available%
PNG,,,%Papua_New_Guinea%,%not_available%,+ 61 2 9870 2131,%not_available%
PRY,,,%Paraguay%,00-9-800-542-0004,%not_available%,%not_available%
PER,,,%Peru%,0-800-51-900,%not_available%,%not_available%
PHL,,,%Philippines%,00 800-2468 1688 %or% 1 800-1441-0158,+65-6324-8098 %or% +63 2 859 0505,%not_available%
PCN,,,%Pitcairn_Island%,%not_available%,61 2 9870 2131,%not_available%
POL,,,%Poland%,00 800 121 1654,(48) (22) 594 19 99,%not_available%
PRT,,,%Portugal%,(800) 849 102,(351) (214) 154 065,%not_available%
PRI,,,%Puerto_Rico%,1-866-584-6059,%not_available%,%not_available%
QAT,,,%Qatar%,%not_available%,(974) (4) 119418,%not_available%
REU,,,%Reunion%,%not_available%,(33) (1) 7226 6080,%not_available%
ROM,,,%Romania%,(0800) 822 222,(40) (21) 204 70 15,%not_available%
RUS,,,%Russia%,(8) (800) 200 8002,(7) (495) 745 5445 %(Moscow_Russia)% ,%not_available%
RWA,,,%Rwanda%,%not_available%,+225 20 24 24 90 ,%not_available%
SHN,,,%Saint_Helena%,%not_available%,+27 11 844 6011,%not_available%
KNA,,,%Saint_Kitts_and_Nevis%,1-866-745-0644,%not_available%,%not_available%
LCA,,,%Saint_Lucia%,1-866-796-2893,%not_available%,%not_available%
STM,,,%Saint_Maarteen%,00-1-866-322-0524,%not_available%,%not_available%
SMM,,,%Saint_Martin%,%not_available%,+1-305-603-4466,%not_available%
SPM,,,%Saint_Pierre_and_Miquelon%,%not_available%,+27 11 844 6011,%not_available%
STT,,,%Saint_Thomas%,1-877-678-8034,%not_available%,%not_available%
VCT,,,%Saint_Vincent_and_The_Grenadines%,1-866-796-2899,%not_available%,%not_available%
WSM,,,%Samoa%,%not_available%,+ 61 2 9870 2131,%not_available%
SMR,,,%San_Marino%,(800) 531 042,(39) (02) 3604 6340,%not_available%
STP,,,%Sao_Tome_and_Principe%,%not_available%,(351) 214 154 065,%not_available%
SAU,,,%Saudi_Arabia%,(800) 820 0135,(966) (1) 218 8385,%not_available%
SEN,,,%Senegal%,%not_available%,+225 20 24 24 90 ,%not_available%
SRB,,,%Serbia%,(0) 700 300 300,(381) (11) 3305 500,%not_available%
SYC,,,%Seychelles%,%not_available%,+27 11 844 6011,%not_available%
SLE,,,%Sierra_Leone%,%not_available%,+225 20 24 24 90 ,%not_available%
SGP,,,%Singapore%,1800-324-8098 %or% 800-852-3543,+65-6324-8098,%not_available%
SVK,,,%Slovakia%,(0) (800) 178 278,(421) (2) 59 295 888,%not_available%
SVN,,,%Slovenia%,080 8028,(386) (1) 5853 449,%not_available%
SLB,,,%Solomon_Islands%,%not_available%,(61) (2) 9870 2131,%not_available%
SLM,,,%Somalia%,%not_available%,+27 11 844 6011,%not_available%
ZAF,,,%South_Africa%,(0) (801) 43 43 43,+27 11 844 6011,%not_available%
SGS,,,%South_Georgia_and_Sandwich_Islands%,%not_available%,54-11-4317-2626,%not_available%
ESP,,,%Spain%,(900) 150 889,(34) (91) 114 1464,%not_available%
LKA,,,%Sri_Lanka%,%not_available%, +91 08 40103000,%not_available%
SUR,,,%Suriname%,%not_available%,(1) (305) 603 4466,%not_available%
SJM,,,%Svalbard_and_Jan_Mayen%,%not_available%,(47) (23) 162 126,%not_available%
SWZ,,,%Swaziland%,%not_available%,+27 11 844 6011,%not_available%
SWE,,,%Sweden%,020 140 00 15,(46) (8) 5033 4670,%not_available%
CHE,,,%Switzerland%,00 800 22848283,(41) (44) 580 7558,%not_available%
TWN,,,%Taiwan%,00-800-2468-1668 %or% 0800-008833,886 2 8771 7276 %or% +886 2 2999 8833,%not_available%
TJK,,,%Tajikistan%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)% ,%not_available%
TZA,,,%Tanzania%,%not_available%,+27 11 844 6011,%not_available%
THA,,,%Thailand%,001 800 2468 1668 (International Access Code) %or% 001 800 4410560,+65 6324 8098 %or% 66 2 263 6888,%not_available%
TGO,,,%Togo%,%not_available%,+225 20 24 24 90 ,%not_available%
TKL,,,%Tokelau%,%not_available%,+ 61 2 9870 2131,%not_available%
TON,,,%Tonga%,%not_available%,(61) (2) 9870 2131,%not_available%
TTO,,,%Trinidad_and_Tobago%,1-888-801-2598,%not_available%,%not_available%
TUN,,,%Tunisia%,%not_available%,(216)71 16 87 00,%not_available%
TUR,,,%Turkey%,(0800) 211 3939,(90) (212) 33 66 999,%not_available%
TKM,,,%Turkmenistan%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)% ,%not_available%
TCA,,,%Turks_and_Caicos_Islands%,1-866-745-7616,%not_available%,%not_available%
TUV,,,%Tuvalu%,%not_available%,+ 61 2 9870 2131,%not_available%
UGA,,,%Uganda%,%not_available%,(254) (20) 286 8800,%not_available%
UKR,,,%Ukraine%,(0) (800) 308 800,(380) (44) 2305102,%not_available%
ARE,,,%United_Arab_Emirates%,(800) 020 0 0132,(971) (4) 391 7000,%not_available%
GBR,,,%United_Kingdom%,(0) (800) 018 8354,(44) (203) 147 4930,%not_available%
USA,,,%United_States%,855-801-0109,%not_available%,%not_available%
UMI,,,%United_States_Minor_Outlying_Islands%,855-801-0109,%not_available%,%not_available%
URY,,,%Uruguay%,000-405-4349,%not_available%,%not_available%
UZB,,,%Uzbekistan%,%not_available%,(7) (495) 745 5445 %(Moscow_Russia)% ,%not_available%
VUT,,,%Vanuatu%,%not_available%,61 2 9870 2131,%not_available%
VAT,,,%Vatican_City_State%,(800) 531 042,(39) (02) 3604 6340,%not_available%
VEN,,,%Venezuela%,0-800-100-4622,%not_available%,%not_available%
VNM,,,%Vietnam%,122 80 090, +65 6324 8098 %or% +84 (4) 3935 1053,%not_available%
VGB,,,%Virgin_Islands_(British)%,1-866-796-2945,%not_available%,%not_available%
VIR,,,%Virgin_Islands_-_US_&_ST._Thomas%,1-866-678-8034,%not_available%,%not_available%
WLF,,,%Wallis_And_Futuna_Islands%,%not_available%,+ 61 2 9870 2131,%not_available%
YEM,,,%Yemen%,%not_available%,(971) (4) 391 7000,%not_available%
ZMB,,,%Zambia%,%not_available%,+27 11 844 6011,%not_available%
ZWE,,,%Zimbabwe%,%not_available%,+27 11 844 6011,%not_available%

[Strings]
Afghanistan	=   "3"
Albania         =   "6"
Algeria         =   "4"
American_Samoa      =   "10"
Andorra         =   "8"
Angola          =   "9"
Anguilla        =   "300"
Antarctica      =   "301"
Antigua_and_Barbuda =   "2"
Argentina       =   "11"
Armenia         =   "7"
Aruba           =   "302"
Australia       =   "12"
Austria         =   "14"
Azerbaijan      =   "5"
Bahamas         =   "22"
Bahrain         =   "17"
Bangladesh      =   "23"
Barbados        =   "18"
Belarus         =   "29"
Belgium         =   "21"
Belize          =   "24"
Benin           =   "28"
Bermuda         =   "20"
Bhutan          =   "34"
Bolivia         =   "26"
Bonaire         =   "161832258"
Bosnia_and_Herzegovina  =   "25"
Botswana        =   "19"
Bouvet_Island       =   "306"
Brazil          =   "32"
British_Indian_Ocean_Territories="114"
Brunei_Darussalam   =   "37"
Bulgaria        =   "35"
Burkina_Faso        =   "245"
Burundi         =   "38"
Cambodia        =   "40"
Cameroon        =   "49"
Canada          =   "39"
Cape_Verde      =   "57"
Cayman_Islands      =   "307"
Central_African_Republic=   "55"
Chad            =   "41"
Chile           =   "46"
China           =   "45"
Christmas_Island    =   "309"
Cocos_Islands       =   "311"
Colombia        =   "51"
Comoros         =   "50"
Congo_(DRC)     =   "44"
Cook_Islands        =   "312"
Costa_Rica      =   "54"
Cote_D'Ivoire       =   "119"
Croatia         =   "108"
Curacao_(formerly_Netherlands_Antilles)         ="273"
Cyprus          =   "59"
Czech_Republic      =   "75"
Denmark         =   "61"
Djibouti        =   "62"
Dominica        =   "63"
Dominican_Republic  =   "65"
East_Timor      =   "7299303"
Ecuador         =   "66"
Egypt           =   "67"
El_Salvador     =   "72"
Equatorial_Guinea   =   "69"
Eritrea         =   "71"
Estonia         =   "70"
Ethiopia        =   "73"
Falkland_Islands_(Islas_Malvinas)="315"
Faroe_Islands   =   "81"
Fiji            =   "78"
Finland         =   "77"
France          =   "84"
French_Guiana   =   "317"
French_Polynesia    =   "318"
French_Southern_Territories=    "319"
Gabon           =   "87"
Gambia          =   "86"
Georgia         =   "88"
Germany         =   "94"
Ghana           =   "89"
Gibraltar       =   "90"
Greece          =   "98"
Greenland       =   "93"
Grenada         =   "91"
Guadeloupe      =   "321"
Guam            =   "322"
Guatemala       =   "99"
Guinea          =   "100"
Guinea-Bissau       =   "196"
Guyana          =   "101"
Haiti           =   "103"
Heard_Island_and_Mcdonald_Islands="325"
Honduras        =   "106"
Hong_Kong       =   "104"
Hungary         =   "109"
Iceland         =   "110"
India           =   "113"
Indonesia       =   "111"
Iraq            =   "121"
Ireland         =   "68"
Israel          =   "117"
Italy           =   "118"
Jamaica         =   "124"
Jan_Mayen       =   "125"
Japan           =   "122"
Jordan          =   "126"
Kazakhstan      =   "137"
Kenya           =   "129"
Kiribati        =   "133"
Korea           =   "134"
Kuwait          =   "136"
Kyrgyzstan      =   "130"
Lao_Peoples_Democratic_Republic ="138"
Latvia          =   "140"
Lebanon         =   "139"
Lesotho         =   "146"
Liberia         =   "142"
Libya           =   "148"
Liechtenstein       =   "145"
Lithuania       =   "141"
Luxembourg      =   "147"
Macao_SAR           =   "151"
Macedonia_(FYROM)   =   "19618"
Madagascar      =   "149"
Malawi          =   "156"
Malaysia        =   "167"
Maldives        =   "165"
Mali            =   "157"
Malta           =   "163"
Marshall_Islands    =   "199"
Martinique      =   "330"
Mauritania      =   "162"
Mauritius       =   "160"
Mayotte         =   "331"
Mexico          =   "166"
Micronesia      =   "80"
Moldova         =   "152"
Monaco          =   "158"
Mongolia        =   "154"
Montenegro      =   "270" 
Montserrat      =   "332"
Morocco         =   "159"
Mozambique      =   "168"
Myanmar         =   "27"
Namibia         =   "254"
Nauru           =   "180"
Nepal           =   "178"
Netherlands     =   "176"
New_Caledonia       =   "334"
New_Zealand     =   "183"
Nicaragua       =   "182"
Niger           =   "173"
Nigeria         =   "175"
Niue            =   "335"
Norfolk_Island      =   "336"
Northern_Mariana_Islands=   "337"
Norway          =   "177"
Oman            =   "164"
Pakistan        =   "190"
Palau           =   "195"
Palestinian_Authority = "%352%"
Panama          =   "192"
Papua_New_Guinea    =   "194"
Paraguay        =   "185"
Peru            =   "187"
Philippines     =   "201"
Pitcairn_Island =   "339"
Poland          =   "191"
Portugal        =   "193"
Puerto_Rico     =   "202"
Qatar           =   "197"
Reunion         =   "198"
Romania         =   "200"
Russia  =   "203"
Rwanda          =   "204"
Saint_Helena        =   "343"
Saint_Kitts_and_Nevis   =   "207"
Saint_Lucia     =   "218"
Saint_Maarteen = "30967"
Saint_Martin   = "31706"
Saint_Pierre_and_Miquelon=  "206"
Saint_Thomas = "%364%"
Saint_Vincent_and_The_Grenadines="248"
Samoa           =   "259"
San_Marino      =   "214"
Sao_Tome_and_Principe   =   "233"
Saudi_Arabia        =   "205"
Senegal         =   "210"
Serbia          = "271"
Seychelles      =   "208"
Sierra_Leone        =   "213"
Singapore       =   "215"
Slovakia        =   "143"
Slovenia        =   "212"
Solomon_Islands     =   "30"
Somalia         =   "216"
South_Africa        =   "209"
South_Georgia_and_Sandwich_Islands="342"
Spain           =   "217"
Sri_Lanka       =   "42"
Suriname        =   "181"
Svalbard_and_Jan_Mayen  =   "220"
Swaziland       =   "260"
Sweden          =   "221"
Switzerland     =   "223"
Taiwan          =   "237"
Tajikistan      =   "228"
Tanzania        =   "239"
Thailand        =   "227"
Togo            =   "232"
Tokelau         =   "347"
Tonga           =   "231"
Trinidad_and_Tobago =   "225"
Tunisia         =   "234"
Turkey          =   "235"
Turkmenistan        =   "238"
Turks_and_Caicos_Islands=   "349"
Tuvalu          =   "236"
Uganda          =   "240"
Ukraine         =   "241"
United_Arab_Emirates    =   "224"
United_Kingdom      =   "242"
United_States       =   "244"
United_States_Minor_Outlying_Islands="161832256"
Uruguay         =   "246"
Uzbekistan      =   "247"
Vanuatu         =   "174"
Vatican_City_State  =   "253"
Venezuela       =   "249"
Vietnam        =   "251"
Virgin_Islands_(British)=   "351"
Virgin_Islands_-_US_&_ST._Thomas   =   "252"
Wallis_And_Futuna_Islands=  "352"
Yemen           =   "261"
Zambia          =   "263"
Zimbabwe        =   "264"
not_available             =   "%300%"
or                        =   "%301%"
(free_for_Moscow)         =   "%351%"
(Moscow_Russia)           =   "%353%"
(Tokyo)                   =   "%354%"
(Osaka)                   =   "%355%"
PIN = "%365%"
ITFS = %367%
FRENCH = %368%
GERMAN = %369%
SPANISH = %370%
(landline) = %371%
(cellular_only) = %372%

Open in new window

0
 
Richard SandersAuthor Commented:
THIS also seems maybe important?

12/19/2017 12:47:08 PM Info ICD Started
12/19/2017 12:47:21 PM Warning Image customization functionality is disabled because imaging tools are not installed.
12/19/2017 12:47:21 PM Warning Exception on reading AutoLaunchConfigScenarioId. The key 'AutoLaunchConfigScenarioId' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowTitle. The key 'ICDWindowTitle' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowHeight. The key 'ICDWindowHeight' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowWidth. The key 'ICDWindowWidth' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowMinHeight. The key 'ICDWindowMinHeight' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowMinWidth. The key 'ICDWindowMinWidth' does not exist in the appSettings configuration section.
12/19/2017 12:47:21 PM Warning Exception on reading ICDWindowState. The key 'ICDWindowState' does not exist in the appSettings configuration section.
12/19/2017 12:48:31 PM Info Loaded Knobs schema hive at C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:48:31 PM Error WpxGetFileEdition (onecore\base\ntsetup\wpx\core\store.cpp:103) - 0x80070002:
12/19/2017 12:48:31 PM Error     No SKU information file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.sku.xml available for store file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:48:31 PM Info Loaded settings from Windows Unknown Unknown
12/19/2017 12:48:31 PM Info Loaded Knobs schema hive at C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.dat
12/19/2017 12:48:31 PM Error WpxGetFileEdition (onecore\base\ntsetup\wpx\core\store.cpp:103) - 0x80070002:
12/19/2017 12:48:31 PM Error     No SKU information file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.sku.xml available for store file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.dat
12/19/2017 12:48:31 PM Info Loaded settings from Windows Unknown Unknown
12/19/2017 12:54:33 PM Info Project 'C:\projects\Project_1.icdproj.xml' loaded successfully
12/19/2017 12:54:33 PM Info Loaded Knobs schema hive at C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:54:33 PM Error WpxGetFileEdition (onecore\base\ntsetup\wpx\core\store.cpp:103) - 0x80070002:
12/19/2017 12:54:33 PM Error     No SKU information file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.sku.xml available for store file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:54:33 PM Info Loaded settings from Windows Unknown Unknown
12/19/2017 12:54:33 PM Info Loaded Knobs schema hive at C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.dat
12/19/2017 12:54:33 PM Error WpxGetFileEdition (onecore\base\ntsetup\wpx\core\store.cpp:103) - 0x80070002:
12/19/2017 12:54:33 PM Error     No SKU information file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.sku.xml available for store file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Desktop-Provisioning.dat
12/19/2017 12:54:33 PM Info Loaded settings from Windows Unknown Unknown
12/19/2017 12:55:53 PM Info Loaded Knobs schema hive at C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:55:53 PM Error WpxGetFileEdition (onecore\base\ntsetup\wpx\core\store.cpp:103) - 0x80070002:
12/19/2017 12:55:53 PM Error     No SKU information file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.sku.xml available for store file C:\Program Files\WindowsApps\Microsoft.WindowsConfigurationDesigner_1000.15063.1.0_x86__8wekyb3d8bbwe\Microsoft-Common-Provisioning.dat
12/19/2017 12:55:53 PM Info Loaded settings from Windows Unknown Unknown

Open in new window

0
 
Richard SandersAuthor Commented:
I could go for miles but common themes seem to be that it always deploys into the weak and stupid netbios namespace and that cannot change, it will use turredo and ipv6 no matter what, and it will not allow you to see all the users and orgs and security items, and the users are treated as computers, and the certs as they are, horrid, basically allow for no real actial power could oppose them.....

Here is a zip of the panther (I have seen it a bit different a few times but I am guessing this is informative to somebody, hopefully)
0
 
David Johnson, CD, MVPOwnerCommented:
this one is from something called phone.inf and I admit not to understand it but I can guess at what it might be....
.inf files are information files for the setting up of drivers and it exists on all windows platforms since windows 3.0
0
 
btanExec ConsultantCommented:
Adding on to what David shared, these set of numbers are Microsoft Activation Centers worldwide telephone numbers. They are toll and toll-free telephone numbers for Volume Licensing Activation. Not something unusual and normally comes with installation of the OS.
0
 
Richard SandersAuthor Commented:
I appreciate the responses and have begun trying the ideas. I want to share a new find today as it makes no sense, adding on top of the whole torturous yet bizarre experience, am I reading this wrong or is this referring to Windows RT (which I believe was Windows 8 embedded?) Does this help shine any light? Thank you everyone for the help, I am truly desperate and I have so many many many files and logs and code and data, but no expertise and was feeling of no hope. I appreciate you all wanting to help me. It is giving me some hope again. Thank you. I will reply again once I have tested all the above suggestions. Thank you and Merry Christmas.
rsService.exe.log
rundll32.exe.log
powershell.exe.log
EMET_GUI.exe.log
0
 
Richard SandersAuthor Commented:
Also am still puzzling over a well-hidden but discovered folder called "Systemd" and inside it is a modified .wim file named windowsdefender or something. And it is in a folder called container(s)? I can grab a screen shot if you like. But is that not a linux or unix thing?
0
 
Richard SandersAuthor Commented:
I have noticed a pattern where gaining access to the persisting hidden storage that is "temporary" is extraordinarily difficult but I managed to grab some just now and want to know if any of you programmers can make heads or tails of it, as these seem to recur (I tested and found it on the other laptop also) thanks again for any advice and help. I appreciate it more than you could possibly know. Thank you.
difficult-to-grab-persisting-hidden-.zip
0
 
Richard SandersAuthor Commented:
I am persuaded as to the harmlessness of the phone.inf and in fact only uploaded it as I noticed it was and am much more concerned about the setupactlog if anyone knows their deployments and could maybe give that a look at, I'd appreciate it as it seems alarming to me in quite a few places.
0
 
Richard SandersAuthor Commented:
Last one for now, sorry, I just found a bunch of the files I had earlier referenced and would love to know what someone with the education to understand them can maybe shine some light for me if I am being concerned for good reason or not. Thanks. There were also two .sqm but would not upload, possible they are the source of the injections/redirects? Okay well it is not allowing an upload, too many file types not allowed; but these range from what look like object c ++ to .sqm and many that are just of type "file" and no extension. And others too, some databases, some xml, some htm and html, and a bunch of STH and of particular interest to me are these files again just "file" but named "script..." something or other, existing in folders named "remote".
0
 
David Johnson, CD, MVPOwnerCommented:
Do you have windows messenger installed?  .sqm files are commonly associated with Windows Messaging
0
 
btanExec ConsultantCommented:
For author advice
0
 
btanExec ConsultantCommented:
For consideration as all shared to best how thing can move forward.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.