Early last week, I had turned my Windows system on (it usually remains off) and got to the desktop. Before I launched any applications, I had to leave the machine unattended. When I returned, I found that the system had rebooted and was stuck on the word Welcome. I rebooted the system again and got in, but things were "not right". After some poking around, found that all the system restore data was gone. The installed update list was completely empty. The system was also unstable. Prior to the issues, I had been running Avira antivirus, Panda Cloud antivirus, Ad-Aware, and Malwarebytes. None of these could find any infections. I tried for 2 days to run GMER, but possibly due to limitations on the number of files it can scan, it would slow down to about 1 file per second after an hour or so. The system has over 800k files and would have at least had 300k more to go, which would mean several months to complete (if it would at all). I attached the drive to another system and tried to just scan the files on the drive, but got the same results. I also need to mention that Windows Update keeps trying to install KB977165 and KB979683. A search on the web quickly told me that this is a symptom of a "deeply embedded rootkit". My feeling is that whomever had compromised my Linux server still has some level of access and compromised my Windows 7 system through it.
I have since tried scanning the system with Avira Antiroot, RootkitBuster, F-Secure Black Light, and Sophos Antirootkit. None of which find anything. I am a seasoned technician with many, many years of experience. I have experience removing virii from corporate systems and have had very great success in doing so, but this one has me completely stumped. I had a virus problem a few years ago and was helped by people on this forum (and I must say that they greatly increased my knowledge in virus removal), but were never completely sure they had solved the issue, finally having to do a clean install. I know I will be admonished for this (I've read a great many threads these past few days on several boards including yours), but as a last resort, tried running Combofix. Combofix will not even complete Stage 1 (after about 20 mins, the system BSODs and restarts). As per instructions posted here, I downloaded DDS. That, too, will not complete and after 20 mins the system BSODs and restarts, so I never get the log (I tried running this 3 times).
Bottom line: Avira antivirus, Panda Cloud antivirus, and Malwarebytes detect nothing. The antirootkit software listed above detect nothing. MBR.EXE gets a read error on item 3 (does not specify the exact problem), says the Kernel is OK and then hangs. Combofix, as well as DDS, stalls and eventually BSODs. GMER will not complete, possibly due to the number of files being scanned. It would be easy enough just to do a clean install, but I would rather track this down and fix it. Not only for my knowledge, but a bug as nasty as this needs to be identified so that countermeasures can be developed, especially since it seems to know to block tools available on this site. It truly is an undetectable rootkit. I know this is a place for techs to train, but you might want to put one of your more seasoned people on this one.
Windows 7 Ulitmate 32-bit (was fully patched as of mid-December)
Dell Precision 530 running 2 Xeon 2.8gHz processors
Syba SilRaid SATA controller
1T SATA drive
In advance, thank you so much.
Edited by Maj. Matt Mason, 09 January 2011 - 10:14 PM.