I hope someone out there can help me. I have what seems to be the nastiest malware infection ever. It started back in October and all three of the computers in my house display the same symptoms. This bug has done all sorts of nasty things from locking me out of my own computers for hours to changing settings (ex: changing it so the off button doesn't turn the computer off, it puts it to sleep), to installing "generic" peripheral devices and drivers, swapping out my CD/DVD drive with a network drive, changing the boot order so the computer boots from a network drive instead of my hard drive, shuts down spyware/malware protection programs (in fact, it eats most of them for lunch!), shuts off Windows updates, changes my duo core processor to show just one processor, runs what I suspect is Windows NT or Server 2003 but uses graphics to make it look like I'm running Vista, uses a telephony program to call who knows where.. basically, it's a huge computer nightmare and all my efforts to rid myself of it have been unsuccessful. There are days that I can use my computers and days that I can't. I've purchased two new computers hoping to "start fresh" and they were instantly infected. I think this will be an interesting case for someone who is interested in spybots/malware, etc. and I am hoping you'll know how to help .
Let me give you some specifics about the situation.
Here's what's going on:
- Computer hooks up to some network that I don't know. There is a DNS/DHCP/Socks address that's not visible to me. I can't always tell when I'm connected to the network, but when the network is not connected, I have trouble connecting to my own ISP (Comcast). I usually have to do IPCONFIG /flushdns to get it to work and that doesn't always do the trick.
- Though I am supposed to be the administrator of my computers, I'm constantly told I don't have permission to do all sorts of things, including relatively benign tasks like removing game files or deleting Adobe Reader 8.0 after I learned it had vulnerabilities that could allow someone to take over your system (ya think!?)
- When I try to download updates or drivers, I'm often told "This driver only works with Windows Vista" and I'm like... uh... hello? I have Vista... what's the problem? This leads me to believe the malware runs either Windows NT or server 2003, plus, the interface is no where near as nice as the real Vista.
- Automatic updates for Windows won't work. When I manually install them, it acts as if it is working but I am quite sure it does not. If I view hidden folders, I see files called "spuninstall" and the update number. I'm not sure what this is but it seems suspicious to me.
- I now shut the computer off when I'm not using it but when I used to leave it on all the time, I remember getting up in the middle of the night and that thing was working like crazy - lights flashing away and the processor was going full speed ahead -- sort of scary. I've actually started unplugging it at night...
- The list of devices/peripherals is a mile long and all I have hooked to the computer that's not part of the original configuration is a printer.
- On start up, there is an icon in the tray on the lower right that says it's safe to remove a peripheral (I have no peripherals installed) When I click properties it shows a "mass storage device" and it shows as an "E" drive when I look at computer properties. I called the manufacturer and they said this is not normal.... though they could not tell me how to get rid of it. I do believe that this is how the network makes initial contact with my system and loads files, etc.
- There is a redirect on IE and it won't let me update to IE 8 Beta and I suspect that the emergency patch Microsoft issued in December isn't being applied, though I downloaded it.
- Latest - showing as 86-bit machine when I look under the device manager. That can't be right, can it?!?
Here's what I tried to fix the problem:
- Wiping the computer and reloading the system - I've done this literally a dozen times. A certified Microsoft tech did it at least two of those times. I even used a program that wipes the drive to US Government top secret security standards. It took like 72 hours to complete! It didn't work. I've learned that the malware installs an "X" drive and apparently, enough data lingers here for the malware to regenerate. I think the peripheral drive I mentioned above might be related here. The drive stays in and the malware connects to it and reinfects the clean system? The last time I wiped the drive, I got an error message about a peripheral I should remove.
- Editing the registry - I've literally wiped the registry by hand, deleting items line by line. There are several protected roots (are these part of a 'root kit' or just part of the computer?) that could not be deleted. I've tried numerous registry editor software packages but my expertise just runs out when it comes to the registry and I get over my head fast. I do think someone who is confident in that area could probably do wonders.
- Reviewed files in the system and programs folders (these don't always make sense to people, I know, but there's some stuff in there that seems just completely wrong... ) In fact there was something in there that labeled my computer a "volatile" environment no doubt due to the efforts I've made to get this garbage off my computers! They think I'M volatile!? These are my computers!! Who's calling whom volatile?!
- Changing out my cable modem and wireless modems (thinking maybe they had my MAC IDs) BTW - my wireless has WPA encryption and I live in an upscale building where most of the residents are older and barely know how to turn on their computers never mind hack one. I know this is no guarantee, but I'm reasonably sure this isn't one of my neighbors who hacked my wireless...
- Tried numerous spyware/internet security programs: Norton, Kaspersky (best so far...), Trend Micro, AVG, CA, Onecare and numerous online scans. None pick up any malware on my system.
- Tried Unhackme software and Spybot Search and Destroy but I seem to get into trouble when they start taking things off - system won't start, etc. so I need some guidance there.
Efforts to seek help...
- [list]
- Microsoft certified tech from Circuit City - came out and stripped all of the computers. They ran OK for about a day before they were totally reinfected. He stripped them again - same thing.
- Called Comcast security - basically got dismissed. They provide McAfee security free for customers and this should keep you safe. If you have malware, get professional help. Basically -- this is not our problem, lady. I was thinking they'd be concerned someone was using their wires for bad things... trust me, they were not concerned at all.
- Called Averatec - confirmed that it's not normal to have an icon to remove a peripheral or an E drive. Suggested I return the computer to CompUSA (the thing of it is, I already returned TWO thinking I could beat the bot that way and it didn't work.. why would this time be different??)
Computer Specs:
Averatec all in one dream machine
22"
Vista Home Premium
Intel Duo Core processors 2.4 GHz
3 gigs RAM
Any help and advice you can offer will be very much appreciated. Thanks in advance and I look forward to speaking with you soon.
Laurie O