Posted 12 October 2012 - 03:50 PM
Not sure where to start so...
My OS, I have an ISO burned to a DVD of a sysprepped x64 Windows 7 SP1 Pro. Installation goes well on any system (laptop or desktop) I put it on and remove and have checked and double checked all installation logs; nothing stands out that would cause issues though I do see the person that sysprepped the image didn't cleanup completely, see minor footprints in logs. Currently, using a Dell Inspirion 1521.
My symptoms, once I do a full Windows Update and load in my programs (Visual Studio 2010 Team, Perl, Win SDK, etc.) after awhile (can't given specific time line its random) I start losing permissions to items such as directories or resouces my once working fine programs need suddenly they can't or trying to save a downloaded file to my desktop, etc. and will persist when I enable the Admin account and use it as well. Along with permissions, abnormal amounts of network traffic or lots of connections for just opening one website, i.e caught *.112.2o7.net talking this last time but the package is encrypted and destination is vague and lots of multicats connections 224.x.x.x, 239.x.x.x etc to the loopback adapter.
My actions, used every spyware and free online scanner with at best finding 19 tracking cookies one time (SuperSpyWare), used Kaspersky and Symantec rescues to scan the DVD, have installed Symantec 2013 and Kaspersky 2013 prior to going online for Windows Update, have used tools such as Rkill, ComboFix, TDSKiller, Gmer (for the registry access), awsMBR and run loggers like OTL, HiJack and DDs (though not well versed in portions of their output to detect anything) and come up empty. Only thing I can say for sure is when I've used any of these tools (not just ComboFix) things seem to go Twilight Zone'ish randomly, i.e. ran TFC and when I logged back in after reboot the computer icon was now combofix's icon in explorer. Only thing I can see is in the last OTL output is shows a catagory I haven't seen in other's output, shows a ========== ZeroAccess Check ========== with entries underneath but not sure if this should be there or not.
I've wiped the hardware completely multiple times (dd, dcfldd, nwipe, etc) and reinstalled fresh multiple times yet get the same strange occurances. Only guess I have is maybe the person that sysprepped the iso had some virus or malware maybe not cleaned out well? Other than that at a lost, especially watching from windbg security kernel calls returning access denied yet not indicating why.
Where I'm at, I have wiped the system again and have a fresh install that hasn't touched a network yet. So before I do anything with it was wondering if someone could look at any logs they may need to see if I am dealing with an infection? And as for using another ISO, can't at the moment, I'm stuck with this one and under a timeline to get some work done. My thanks in advice to any and all help.