Fails to reload Windows 11 Pro OS after being compromised

I ordered this laptop for my mother on 03-23 and was delivered on 10-23. I built it and loaded Windows 11 Pro with Rufus with no issues. Unit has been working fine for her ever since. I did update the BIOS to 3.02 at some point since then. Last week she told me she is getting these popup errors that won’t go away. (Great, I know) I look at the unit and there is clearly some malware on it now. Her user account was a standard user and not an Administrator.

Here is where things get interesting. She said she tried to X them out to close them, but it didn’t work. Nothing is flagging with any of the malware scans run on it. But when it connects to the internet, the scam popups start nonstop. I figure no big deal; I will just roll it back to the setpoint I made when I set it up. Well, it removed it. But what is a first for me is when I tried to log into the admin account, it somehow removed the set password. I now have no access to an admin account. Not an issue I think, I will just reload Windows, or so I thought. I can’t restore windows from inside as it has changed the admin password.

Here is where I am now stuck. I cannot get it to load the Windows install start. I can get into the BIOS and I have turned off the boot from the current installed windows and just boot from USB. I Have tried using Rufus and using their version of Windows. I also tried loading it directly from Microsoft and running it. I tried this multiple times with the USB boot, I even fully formatted the USB drive between tries just in case. All this effort has gotten me 3 outcomes. 1: I get a fail notice. 2: It goes to [INFO] Launching 'efi\boot\bootx64.efi '… and will just hang. 3: It goes to [INFO] Launching 'efi\boot\bootx64.efi '… then the next line I get a _ and it hangs again. I have waited up to 20 min for something to happen and it never does in any of these.

I am at a loss at what is going on. It is almost like I just need to get a new SSD or somehow format it outside the laptop and try again. I would rather not hook this drive up to anything as this thing has the AIDS.


-Windows 11 Pro

  • Latest patch
  • Framework Laptop 13 DIY Edition (AMD Ryzen™ 7040 Series)

Hi @Joe_Battista_PhD,

Welcome to the Community! :grin:

Sorry to hear your Mom’s machine has the ick. :thermometer: It probably has a rootkit installed too that is making things extra difficult.

Did you try creating the Microsoft Media Creation tool and booting from the USB it makes? I believe it gives you the option to fully format the drive and start over. It is not obvious though since it will “see” Windows is already installed and things you do not want to blow it away.

https://www.microsoft.com/en-us/software-download/windows11

Alternatively, you can create Live USB for Ubuntu and have it wipe the drive like you are going to install Ubuntu. Then you can go back to the Windows USB and it should give you the option to wipe the drive and create a fresh install of Windows cleanly on the machine.

https://ubuntu.com/tutorials/install-ubuntu-desktop#1-overview

Those are two things I can think of off the top of my head. Going forward, have your mom buy a copy of F-Secure. The built in anti-virus for Windows is a little weak.

(This is just my personal reccomendation for Anti-Virius and threat protection; it is very hands off and not bloaty like a bunch of others out there)

This is a bootloader level problem. If you haven’t tried, use the official Media Creation tool to create your bootable USB. Rufus uses this UEFI_NTFS open source project to boot the Windows Installer which has some compatibility problems and isn’t secure boot compatible. Also maybe reset your BIOS.

There’s also a VERY slim chance that it’s got a compromised UEFI firmware. Those things exist…

1 Like

Yes this sounds fairly simple and I do wonder, does you mum really require Windows?

I have one application that requires Windows, to manage an off grid solar system so I bought a pre-build with Win and now it’s my go to OS. Else I would use Ubuntu which is currently part of my dual boot.

All the best

You may also need to run an nvme secure erase on that stick – I can’t spot a LiveUSB linux (so no recommendation, I hope the Ubuntu LiveUSB) image that has the nvme-cli utilities that tell an NVMe SSD to ‘forget your encyption key for the storage you’re using and generate a new one, and consider all blocks as empty’.

K3n.

Yeah it would not hurt to perform a complete deletion of that drive and reinstall just to make sure. If you feel that there is something on that drive you just don’t want to lose, search for “Malwarebytes Anti-rootkit scanner”. I love Malwarebytes and I hope this is the version that you can install on a thumbdrive (from a good computer) then stick in your moms FW and scan off of directly during boot (w/o booting into Windows at all).

I would have posted the link but I don’t want you to feel like anyone is trying to trick you into clicking into more malware. :slight_smile:

1 Like

As I said, I tried using Rufus and also directly from Microsoft. Same boat either way. I can try the Ubuntu method to wipe it and see what happens.

Require is a very selective term. Like most people, she knows windows and at her age has no desire to try and learn anything else or deal with changes. So, I guess the answer is yes. LOL But from a software requirement standpoint, not really.

There is nothing on it that can’t be deleted. I plan on doing a full format on the drive for the new OS.

System Rescue is great for this kind of stuff.

If you’re seeing that UEFI:NTFS v2.5 message even with the Microsoft official DVD image, you are not booting from the right device. The Microsoft official DVD image does not use UEFI:NTFS v2.5

Well, it seems to keep getting better. ROFL (not really) Loaded Ubuntu onto a USB using Balena. Hung up twice but it finally got to the language screen to load Ubuntu. Go down the line and I get to “erase disk” option.


Click next to only get to this.

Sorry got to cut this up because of photo limit.

This is strange as I selected the “erase disk” option. I go back and attempt to do it manually but I can never get the loader to allow the next button to be pressed no matter what I tried.

I decided to load into Windows and try turning off BitLocker only to be greeted by this lovely window.


It is not on, so Windows claims.

When it rains it pours. I know I can do dumb things at times, but I am fairly sure I am not getting hung up because something I am doing or not doing here. I am feeling to the point I think a hammer to this SSD is about my only option. I have wasted so much time on this had I had the hindsight I have now I would have just bought a new SSD. I have never had one kick me like this before. But I do not tend to wind up in this situation either.

Any other last-ditch ideas before I go full hammer time? Now where are those puffy pants…

You do not need to launch the Ubuntu installer to run the nvme-cli tools to erase your SSD. You can choose “Try Ubuntu” instead.

Alternatively, you can use System Rescue which is a little lower-level–still Linux!–and does not have a guided install process for you to get tripped up on.

Once you boot it, you can follow the steps in this AskUbuntu answer starting with sudo nvme list.

If you get an error stating sudo: command not found, you can leave sudo off (if using System Rescue).

I tried the “try Ubuntu” option. It either sits on this screen


or if it does boot it goes right to this and locks up.

I will look into the System Rescue. I am about to just order a new drive, this is nonsense.

If SystemRescue doesn’t work, or hangs during boot, I suspect you have a bigger issue than a new SSD will fix.

You can also try booting Ubuntu without the SSD just to make sure. If it still fails, your problem lies elsewhere: USB, RAM, the mainboard, etc. :slight_smile:

In general, you shouldn’t destroy a component until you’ve made sure it’s the actual root cause of your issues!

Normally I would agree with you. If I load into the infected windows OS, the system “works fine” so to speak. The unit was working with no issue until it got infected. Whatever this infection is, is serious. As mentioned, it has removed the admin password while being used from a “user” account and many other things. It has also so far stopped me in my tracks from loading any OS. While I think the SSD is physically fine, it has what seems like government level spyware locking it down. Unless the malware has imbedded itself in the BIOS or some other hardware using a zero-day, I am at a loss at this point. This is not my field of expertise, but I know enough to be dangerous. That is why I am reaching out here.

If you’re going to erase the nvme drive anyway, any Linux boot disk would be enough, say arch, and then what you could do is overwrite the partition table so it can’t boot from the infected bootloader any longer.

dd if=/dev/zero of=/dev/nvme0n1 count=1 bs=1M

For example, should be enough to wipe out the bootloader. You might have to change what the of= to your specific hardware.

You can use lsblk to see what devices show up. There should be only 1 nvme drive.

I have wasted enough time messing with it. I just bought a new SSD. So “this” problem is “solved”. Now onto the next issue, for another post.

1 Like

Recently, I installed Windows 11 on two different machines and was surprised that BitLocker was mysteriously already turned on even though I had not activated Windows yet! My guess is that it is now enabled by default upon installation. The default installation just presumes everyone wants BitLocker and as soon as you activate Windows it gives you the full functionality.

Fortunately, I had already linked my token Microsoft account I use for basic installations and the recovery key had been uploaded. Why would I need the recovery key? Well when I went to dual-boot/install Ubuntu I was surprised that BitLocker was already turned on even though I had not done it. In the process of fiddling/investigating; the next time I tried to boot Windows it asked for my recovery key, ruh roh! What recovery key I thought? I pretended that I needed whatever was on the Windows installation and thankfully found the recovery key had been uploaded to the Microsoft account I used to install the OS.

The linux experts can probably expand further on manually formatting the SSD so you can start fresh again. I can not remember if I read this that Ubuntu sees BitLocker and halfway tries to not let you accidentally format the drive through some prompts.

Best wishes to you!

If it turns out that the new SSD fixes all your issues and you haven’t destroyed the old one, I will buy the potentially-compromised one from you[1]. Seriously!


  1. restrictions such as “I’m in the US” and “you’d be willing to sell it” apply (: ↩︎