[newbee_4]

hi,
I have a cheap Lenovo laptop running Windows 11 Pro (came with 11 Home and I bought upgrade which hopefully is tied to my microsoft id?) No files on it that I need. Only running windows, malwarebytes and hypersnap screen grab software.
It was exposed to a router that potentially had router malware ( nothing obvious but apparently it was an Asus router susceptible to Cyclops Blink).

Is there any chance the laptop got malware which could cause a router infection on a different make router?

and, how could I do a full fresh Windows install without losing drivers? The laptop is working fine and I already reinstalled a 'fresh copy' of Windows while keeping my own files.

I don't mind reinstalling Windows but don't know how to keep drivers.

Thank you.

 

[Corday]

During the process you're offered the option of keeping the personal files and apps. If you really think you're infected, then a clean install is needed. To make sure, let our Security Team take a look: Malware Removal Help Posting Instructions

 

[newbee_4]

thanks Corday, I posted logs just now in the malware removal forum.

 

[spunk.funk]

To answer the title of your post, If you preform a Clean Install, you would delete all partitions on a drive. So there will be no drivers on that drive, unless you save them to another.
After you complete the Windows install press the Windows Key +X and choose Device Manager. If there are no devices with yellow marks, You do NOT need any drivers,
If you require drivers, you can always go to the Lenovo Download site, type in your make and model # and download them there for free.,

As stated, if you suspect you have Malware, it is suggested to do a Clean Install which is best, or you can follow up with the Malware Forum.

 

[newbee_4]

thank you! I posted logs in Malware. I am interested to know because of my other potential risks.

 

[newbee_4]

I am having trouble doing a clean install. On a different PC, I made a USB but when I tried to do the clean install, I got a message that it couldn't find any drives, not C, not anything. Then I got a BIOS menu, I made sure USB is listed first. but restarting again didn't do anything, I don't know how to get a clean install to work. This is kind of different I guess so going to make a new thread? Feel free to put it back here if you think that is better.

editing to add - I did the clean reinstall (at least I think I did, ran into some roadblocks). It does seem to be running better, not sure whether that relates to malware or something else. But for example, Hypersnap before was doing this odd thing of capturing itself as the active window, now it is working normally. A few little things I guess.

Which means I still have the question though - is there any chance that there was a series of events like
-- laptop connected to Asus router with malware
--laptop infected
--laptop then connected to a different brand router, might that router have been infected? how to tell?

 

[Corday]

All you mentioned are possible.

 

[newbee_4]

I was afraid of that. Is there any decent product to check routers for malware? I didn't even know it was possible until a couple of days ago and now worried.

 

[Gary R]

No products I'm aware of check routers for malware.

If you suspect your router may be compromised, the easiest thing to do is to perform a router reset.

 

[newbee_4]

Done, but supposedly Cyclops Blink can survive that. I think I'm tossing the Asus router as the easiest solution, it is EOL so won't get additional firmware updates and supposedly this survives a factory reset.

more from techspot --

Cyclops Blink botnet is attacking and actively exploiting Asus routers

Cyclops Blink is a Kremlin-linked malware that has existed since 2019. It is tied to the elite Sandworm hacking group. According to UK's National Cyber Security Centre...

www.techspot.com

"The new Asus module is built to access and replace a router's flash memory. The botnet reads 80 bytes from the flash memory, writes it to the main communication pipe, and then waits for a command with the data needed to replace the content. A second module gathers data from the infected device and sends it to the C2 server. A third module, "file download (0x0f)," downloads files from the internet using DNS over HTTPS (DoH)."


and from here

New Sandworm Malware Cyclops Blink Replaces VPNFilter | CISA

www.cisa.gov

"
Malware overview
The malware itself is sophisticated and modular with basic core functionality to beacon (T1132.002) device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required.
The NCSC has published a malware analysis report on Cyclops Blink which provides more detail about the malware.
Post exploitation
Post exploitation, Cyclops Blink is generally deployed as part of a firmware ‘update’ (T1542.001). This achieves persistence when the device is rebooted and makes remediation harder.
Victim devices are organized into clusters and each deployment of Cyclops Blink has a list of command and control (C2) IP addresses and ports that it uses (T1008). All the known C2 IP addresses to date have been used by compromised WatchGuard firewall devices. Communications between Cyclops Blink clients and servers are protected under Transport Layer Security (TLS) (T1071.001), using individually generated keys and certificates. Sandworm manages Cyclops Blink by connecting to the C2 layer through the Tor network.....................
Mitigations
Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organizations should therefore take steps to remove the malware.
WatchGuard has worked closely with the FBI, CISA, NSA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. Device owners should follow each step in these instructions to ensure that devices are patched to the latest version and that any infection is removed.
The tooling and guidance from WatchGuard can be found at: Web Detector.
In addition:

• If your device is identified as infected with Cyclops Blink, you should assume that any passwords present on the device have been compromised and replace them (see NCSC password guidance for organizations.
• You should ensure that the management interface of network devices is not exposed to the internet.

Indicators of Compromise
Please refer to the accompanying Cyclops Blink malware analysis report for indicators of compromise which may help detect this activity"

so.... I don't know much but definitely stressing over this.

 

[spunk.funk]

How did you Burn the USB Flash drive, What software? That you are using to install Windows?
When you are in the Install window of Where Would You Like to Install Windows? That means that the installer can't read your internal HDD/SSD. Meaning it may not be plugged in or it has failed.
In the Bios, under System Information, Is the internal HDD/SSD listed?
If it is listed in the Bios, Go to Advanced and look for Hard Drive mode. Is it set to IDE/Legacy? Or AHCI? it should be AHCI, If not this will not recognize the drive.
Also, Go to the Boot tab, is the computer setup for UEFI Bios, or Legacy/CSM? If you created a USB Flash drive using standard MBR Bios (Legacy/CSM) in an app like Rufus and tried to install it on a UEFI Bios, it would not recognize the drive. Try using the Media Creation Tool from the Microsoft Windows ISO download page.

 

[newbee_4]

I burned it off a different desktop, which goes to a different router, directly from the link on Microsoft support that you show above.
When I would restart, I had a lot of trouble getting to the bios, one time it did start from the usb but then not see the internal drive (which definitely is fine).
another time though i did get into the bios but unfortunately not sure how i did it. will try to do it again and check that boot setting.

 

[spunk.funk]

To boot into the Bios on an Asus computer, from a cold stat, Power the computer on then start pressing the F2 button continuously or hold it down. It should load Settings (Bios)
Scroll down to General Situation (Before booting) [Notebook/Desktop/AIO] How to enter the BIOS configuration | Official Support | ASUS USA

 

[newbee_4]

I did get into the Bios but ---

It is a Lenovo ideapad 17in, not an Asus computer.

I got into the Bios, I disabled then reenabled Secure Boot. I was not able to find the UEFI setting or hard drive setting.

Then it was asking me for a Bitlocker key, I have never used Bitlocker, I did get the key though so now I can start the computer normally.

But please look at these screenshots of BIOS settings (some stuff redacted , I wasn't sure what was more personal so may have over-redacted)
I don't see where to get into the choices you mentioned above,
Advanced and look for Hard Drive mode. Is it set to IDE/Legacy? Or AHCI? it should be AHCI, If not this will not recognize the drive.
Also, Go to the Boot tab, is the computer setup for UEFI Bios, or Legacy/CSM
in fact I didn't see any advanced setting at all.

Here is the link to the Lenovo support for this model

laptops and netbooks :: 3 series :: ideapad 3 17itl6 :: 82h9 :: 82h900edus - Lenovo Support US

pcsupport.lenovo.com

but I couldn't find anything to help me get into advanced Bios settings.

When I have the USB disk with the Windows media loaded, it sees it (that usb is ESD-USB and it calls it C even though it is an external USB drive) and what it calls Boot drive letter X is actually the internal C drive. But I still get the error message when I try to reinstall Windows. When I take out the USB and restart everything looks ok and the C drive is definitely ok and working.

Please help.

 

[spunk.funk]

What is the Make and Model # of the Lenovo laptop?
Put the Windows 11 Installer in laptop . Boot back into the Bios and Enable Secure Boot, if you have that then this is a UEFI Bios. Go to the Boot Tab, Move the Flash drive to First Boot Device using your arrow and Enter Key. Restart, the computer it should boot to the Windows 11 Flash Drive. If not, Restart pressing the F12 key continuously for a one time change of boot order and Select the Flash drive.
To do a Clean Install, In the Windows Installer, Select your Language, then Custom Install, in Where Would You Life To Install Windows? It should show your drive. Delete All Partitions until the drive is Unallocated Space, then press Next, Windows will create partitions, and format them during the install.

 

[newbee_4]

hi, it is

IdeaPad 3-17ITL6 Laptop - Type 82H9

that link is the support page i get after entering my serial number.
the USB drive is the first thing listed on the Boot menu, but weirdly the others sem to be internet, not C? it boots totally normally so definitely I am not understanding something.


Just followed your instructions.
I get this far
To do a Clean Install, In the Windows Installer, Select your Language, then Custom Install-----then..........
then I don't get an option to choose a drive,
instead I get the same message,
No signed device drivers were found.

And it does not show any drives at all in the list, even though if Click Browse to find a driver folder, I get the same menu ( showing the USB drive as C and the internal drive as X) same as picture above. Selecting either of those, I get " no signed device drivers were found. make sure that the installation media contains the correct drivers"
then I cannot progress further.

I think when I tried yesterday it might have pulled drivers off the internet? now I am trying without an internet connection, just the Windows media, created directly off Microsoft support as you describe above.

I probably will go to sleep soon but will pick up from here tomorrow evening. Thank you! Sorry, I am sure I am doing something stupid wrong but no idea what it is.

 

[spunk.funk]

Drive letters will change in the Recovery Environment.
In the Select the Drive to Install window, the only drive showing is the USB Flash drive.
You Have Blocked out the Make and Model # of the NVMe Drive.
The only Bootable devices are the Flash drive and the Ethernet Network Adapter.
There is something wrong with the NVMe drive. Try Removing it and Reseating it into the computer. If that fails, you can use a Standard SATA drive
It should look like this:

 

[newbee_4]

hi, what is the nvme drive? is that the normal C drive? see screenshot re make and model but everything works ok the rest of the time. doesn't that mean the C drive is ok? i don't know anything about partitions, i didn't partition it but i guess maybe it came with drivers in a different partition?

i am worried about pulling out the c drive (i would definitely be taking it to someone, way past what i can do in terms of hardware) if it seems to work fine in every other way. but do you think this is possibly malware? (have already been cleared in Malware forum though, just a day or two ago).

Definitely the BIOS isn't showing a bootable C drive and i don't understand that at all but especially that it powers on and boots completely normally.

 

[spunk.funk]

OK, the NVME Disk is the drive that C: Windows is installed on. And it is set as the Windows Boot Manager as it should be. Can you Select this by Pressing Enter key and see if there is a choice to Enable it using the F5 or F6 key?
You can also press F9 to set the Bios to Defaults.

 

[newbee_4]

thank you, will look at that and post later this evening ( it's early am where I am right now). I did try F9 to set bios back to defaults at one point yesterday but not sure what else I mayhave done at the same time.