BleepingComputer.com: Seriously Infested Computer - Very Cautious

Okay, these are my thoughts.

I have seen nothing in any of the logs that tell me there is anything untoward.

You are comparing an old FAT-partition install to your current NTFS install, which would remove quite a lot of access that you previously had which may explain some of the odd permission issues you are experiencing.

The only way for me to tell you that you are clean is to do the following:

First things first, do you use any flash drives on the machine that could transfer the infection? If so let me know.

Hi M0le

I made sure not to use any data I had stored at all, everything came from install CD or Web, no driver discs, no flash drives, etc.

I installed, then went through usual housekeeping, firewall settings, etc. I didn't even look at the event log the first time, my mistake. Looking at the log, I noticed I copied in a system image restore, my mistake and apologies, which would explain the different dates. I had saved a bunch the last few days, named similarly. Easily willing to run through a brand new install again, grab the log as soon as I logon, and post a copy.

Having done 2-3 installs in last 2 days, I can say with conviction that I do have limited permissions from the getgo, but I'll run through it again, so we both can be sure there is nothing but fresh info, uncorrupted by me at least.

Is there anything else you would like me to do or grab to post back to you? I'll use factory install disc and factory driver cd, no corruption there. I'll jump on the web real quick, download anything you want me to run, and get results back to you.

Did you reinstall the Operating System, Antivirus and Firewall offline?

I had Firewall and OS to do offline, but did not have AV I could guarantee clean unfortunately. (I still did not install from suspect source, but went direct to BitDefender, purchased a year of their total security 2012 in advance, downloaded and installed as quick as I could. This was just before 11:00p in terms of logs)

Here is a copy of the log, all events from initial install, guaranteed clean, certainly for first half hour or more before I plugged ethernet cable in. No guarantees after 10:50p, which is when I went online...

Sorry for the many attachments, these logs are huge for what should be text.. Course in the end they zipped up quite nice. Ok, cleared them out, single files, sorry for the jabbering.

I am including a copy of the bitdefender log, in case you should want to see it. At logon, I again was locked out of services, rules, etc... No way to stop the bleeding until I can overcome that. As well, whatever this is seems to be able use any filename/attributes to spoof for whatever it's doing. As Bitdefender blocked one item, like svchost, smss would come on, lsm, csrss, synchhost, etc... It was also piggybacking on Explorer, but I could not stop that.

This post has been edited by ZDave: 28 November 2011 - 02:06 AM

Hi M0le, just an FYI, going to pick up a hard copy of Internet security suite, and go through process again. I want to make sure I'm giving you as accurate information as I can. More to come. Thanks for your patience.

Diskpart Clear All
(0'd out entire drive)
Install from Factory Disk
Disabled all remote services, services, progs through firewall, etc.
Installed a few necessary drivers with windows firewall set to Block All, both in and out
After 1st driver restart, more services blocked.
(same issues at start up, accounts being added, rule reg keys denied)
No need to wait...
I purchased hard copy of Kaspersky Pure Total Security 2012, one of highest rated suites available.
Threw in install disk, plugged in Ethernet, the program was up and running in about 3-4 minutes.

Immediately, all the stinking windows services are added with full trust for KASP

Diskpart Clear All
(0'd out entire drive)
Install from Factory Disk
Disabled all remote services, services, progs through firewall, etc.
Installed a few necessary drivers with windows firewall set to Block All, both in and out
After 1st driver restart, more services blocked.
(same issues at start up, accounts being added, rule reg keys denied)
No need to wait...
I purchased hard copy of Kaspersky Pure Total Security 2012, one of highest rated suites available.
Threw in install disk, plugged in Ethernet, the program was up and running in about 3-4 minutes.

Immediately, all the stinking windows services are added with full trust for KASP, I saw right away, manually placed them all into untrusted high threat, there were so many accessing Internet it was nuts, at least 20 at once...

Once I adjusted trust level, stopped traffic for most part, though I could see IE itself spoofed a few times, nothing I could do about it. As soon as database was updated and prog authenticated, pulled the plug on ether.

KASP updated itself, ran initial scan, found nothing. If course, how could it when all file attributes are completely rewritten to same date, etc, perfectly mimicking normal windows files.

KASP was either ready to restart on its own, or was sent a shut-down command from system, it has done this with Trebd Micro in past.

Restart, but it stalled, (as usual), could not get to logon screen.

Restart, get to logon, my passwords are all incorrect, can't log on with any of my accounts.

Booted to safe mode, my User logon was still password denied, but I was able to get in with first account, admin level.

Tried to run KASP again, but it won't run in safe mode.

Just for increased chance of getting in, added a new account, admin level.

Rebooted to normal startup, all three accounts now password disabled.

Booted into safe mode, same thing, total lockout.

tried to repair /restore, both failed. Only thing
I seemingly have left to do is reformat, reinstall.

Total bust.

Anytime a threat to whatever this is is detected, it's either neutralized or if it can't be, the system just boots all accounts, game over.


M0le, how can you fight something that inserts before any logical point, replaces all attributes

I'm not sure what it is that you are actually worried about. You reinstalled the operating system from a clean disk, you reinstalled the firewall and you installed a brand new copy of Kaspersky - all offline.

You have no other way of infecting yourself, as you have no removable devices, and so the system must be clean.

What users are being added?

Which reg keys are you being locked out of?

Is the machine actually running well?


Finally...

Quote

Which services are being added? How do you know they are not legitimate services?


Can you also please run Junction, this will tell me if any permissions are being killed

• Please download and save:

Junction.zip

• Unzip it and place Junction.exe in the Windows directory (C:\Windows).
  
• Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

Diskpart Clear All
(0'd out entire drive)
Install from Factory Disk
Disabled all remote services, services, progs through firewall, etc.
Installed a few necessary drivers with windows firewall set to Block All, both in and out
After 1st driver restart, more services blocked.
(same issues at start up, accounts being added, rule reg keys denied)
No need to wait...
I purchased hard copy of Kaspersky Pure Total Security 2012, one of highest rated suites available.
Threw in install disk, plugged in Ethernet, the program was up and running in about 3-4 minutes.

Immediately, all the stinking windows services are added with full trust for KASP, I saw right away, manually placed them all into untrusted high threat, there were so many accessing Internet it was nuts, at least 20 at once...

Once I adjusted trust level, stopped traffic for most part, though I could see IE itself spoofed a few times, nothing I could do about it. As soon as database was updated and prog authenticated, pulled the plug on ether.

KASP updated itself, ran initial scan, found nothing. If course, how could it when all file attributes are completely rewritten to same date, etc, perfectly mimicking normal windows files.

KASP was either ready to restart on its own, or was sent a shut-down command from system, it has done this with Trebd Micro in past.

Restart, but it stalled, (as usual), could not get to logon screen.

Restart, get to logon, my passwords are all incorrect, can't log on with any of my accounts.

Booted to safe mode, my User logon was still password denied, but I was able to get in with first account, admin level.

Tried to run KASP again, but it won't run in safe mode.

Just for increased chance of getting in, added a new account, admin level.

Rebooted to normal startup, all three accounts now password disabled.

Booted into safe mode, same thing, total lockout.

tried to repair /restore, both failed. Only thing
I seemingly have left to do is reformat, reinstall.

Total bust.

Anytime a threat to whatever this is is detected, it's either neutralized or if it can't be, the system just boots all accounts, game over.


M0le, how can you fight something that inserts before any logical point, replaces all attributes exactly as they were from original install, and uses mimick accounts of actual accounts, mine, to make changes?

KASP didn't seem to stand a chance. Maybe it was close to detecting something, likely given the system response, and is killed on the spot.

This bug has kernel authority, it can over-ride basically anything it wants, if not immediately, then shortly after or at next restart.

Since I zeroed out all sectors of drive (unless even that fun tion is not to be trusted...), I am left with 2 possibilities in my mind.

1. It's residing in the BIOS. I write a while back that I found a wireless adapter shell added to boot sequence, leaves little doubt in my mind, as I certainly didn't do it, and it's totally nonstandard for Award BIOS. It had to be dropped in by malware. This means it's in the system before the kernel even initialized, and again can do whatever it pleases.

2. Far scarier, though much less likely, it's imbedded itself into the firmware of one of my components, and I don't even want to think about that.

I'm out if ideas...

Please read my reply above your last post.

If current malware was being installed in the BIOS then your boot would be heavily affected by it. At the moment, the MBR rootkits are detectable and removable. The MBR is the only area where a full reformat and reinstall does not remove these bootkits. aswMBR was run earlier in your thread and nothing was found.

You are barking up the wrong tree here, ZDave, this is not malware.

Hi M0le,

I hope all is well. I wanted to take the time to thank you for your time and assistance throughout this process. I know I have been difficult to deal with, and want to apologize. This entire experience has made me quite nuts ;)

I don't know what to make of the computer behavior, and it's shaken my trust in more ways than one. Not being able to understand what's happening, nor achieve a system set-up that doesn't have abberant symptoms, it's not only disappointing, but preventing me from resuming regular computing activities, leaving a deficit I cannot resolve.

I still don't know why even after a fresh install, I still don't have access to areas that should not be limited, I've certainly never encountered this before, and if not malware, am feeling there is little left for me to do.

Again, thank you for your time, patience and expertise. I wish you well.

Kind regards. Dave Z

Hi Dave,

You're welcome. I understand that this makes people become suspicious of everything, I have seen it many times.

I will therefore close this topic and let this thread come to an end.

I hope that you do get this sorted out one way or another.

m0le

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.