First, I'm glad to have finally joined, thanks for all the help you have posted on the site. I'm pretty knowledgeable about what I'm doing, and this is the first time I've ever had to get help. It all started about a month ago, when I was looking through autoruns and process explorer to determine why my cpu and hdd activity was high while doing nothing resource intensive on the laptop. While ruling out the normal windows updates and other items that usually account for the activity I noticed that the command lines for winlogin, svchost, explorer.exe were not right. When I started to investigate more, I found that my firewall had been completely turned off by something and that I had weird connections in netstat, Windows would not allow me to turn my firewall back on. Then before I could log or remember what all the symptoms were, my pc restarted on its own and took me to the windows login screen. Usually I am the only account on the pc but this time I was given the choice to login as Administrator or my account. I logged in my account and it went okay except that now my display had its brightness changed all the way to 0 (this is a laptop display btw) so I could barely see what I was doing and my desktop background changed to black. Eventually I figured out my group poilicy settings had been changed by an Unknown user acct and I was no longer able to do administrative tasks, or connect to the internet. I started in safe-mode and had difficulty trying to manage group policy on my pc, especially since its Windows 7 Home Premium. Oh by the way, I noticed my fiancees pc started to do the same thing, and determined through router logs that the malware was using the router to infect other pcs on the network.
Anyways to make a long story short I eventually changed the settings, got admin back and did the following:
1.Booted into recovery (Fixed Mbr, etc with bcdedit)
2.Booted into seagate tools and erased disk and reformatted
3.Disconnected router, and installed new router with different ssid and password
4.Reinstalled Windows 7 Home Premium with Service Pack 1 from an Iso burned to disk
5.Installed Windows 7 updates, installed drivers for laptop, changed firewall settings to block all incoming connections, (downloaded Microsoft security essentials with Win7 updates)
--also, downloaded win 7 from my microsoft store acct on my macbook instead of my infected sony laptop, I think the macbook was uninfected but not sure--
I have recovery disks, but Im afraid that the malware could have been on them. I am now back on my pc, but have noticed strange items in my system32 folder, stange messages in logs, my dns addresses are both the same as my default gateway,Lsass, csrss, etc running more than usual, explorer.exe's cmd line is "Explorer.EXE" idk if the exe is supposed to be caps or not? I have 7 svchost.exe's running, Firewall rules are being changed from disabled to active on their own, pc is using too many resources, IE has acro search hooks already but no redirects I could tell. Also in my start-up programs list, ccleaner reports that GrpConv -0 is set to runonce on restart, I dont know what that is, but I've never seen it before.
I could not scan win32k.sys on any online sites because It would dissapear from system32 when trying to upload, but instantly reappear if I opened system32 from windows explorer while not trying to upload. Event viewer had multiple concerning messages, although I'm unsure if its bad to have previous registry settings being opened by another user or not. My antivirus says system is clean but I don't know if I trust it. Any help/suggestions would be greatly appreciated. Also let me know If you need additional info.
P.S. - I forgot to mention, I believe that I first started noticing problems when my ricoh sd card drivers were corrupt. I remember reading strange messages in the drivers ini files, but cant remember what they were. I dont know if this is significant or not.
Edited by surge1223, 12 July 2012 - 01:02 PM.