I am the IT staff. I am asking for assistance. I am really struggling with some nasty stuff. This is not my first rodeo with malware. What is on here is very sophisticated, and nothing so far is picking it up or stopping it, including clean reinstalls. Here is an excerpt for a staff member to read:
I will tell you everything I have done, in the exact order, so you know what steps I have taken.
We are running McAfee Enterprise 8.8 and Malwarebytes Corporate on the primary server and local workstations. We also have a SonicWall TZ210 with every subscription they have. We have a primary server (Dell PE 2900), ten workstations (Dell OptiPlex 360), one laptop (Sony VAIO), and one backup server (PE SC420).
Our network started getting really slow a few weeks ago. Then all the DNS settings kept getting changed. As I began to investigate the DNS issue, and once I would get that solved, then other things started happening like GPO not processing, Administrators accounts not being elevated, unable to install any security or malware programs, Windows update turned off and then back on, profiles not syncing to the server, file and sharing permissions changed, guest account activated on the domain controller, etc. Then local policies started being overwritten, Windows updates rolled back on the local machines, and DNS settings still being re-written. The Domain Admins were locked out of GPO, and there were registry items that are completely locked and inaccessible. Windows Firewall settings overwritten or disabled, or re-enabled with crazy settings. We changed the Admin passwords many times during all this. IPV6 tunnels were everywhere despite IPV6 being turned off, and Microsoft Fix to disable IPV6 applied. Each time I solved any one of these challenges, another set of challenges arose.
I “unjoined” three desktops from the domain, and started working on those desktops. I changed the DNS settings where they would not communicate with the server. Ran MiniTools and just about any other tool I could get my hands on. Anytime I began work on these workstations, the primary server went crazy with activity despite the fact they were not supposed to be communicating and they were “unjoined” from the domain.
I have ran many scanners, and none have picked up anything in normal, safe mode, and safe mode with networking on the servers and workstations. I have ran these scanners:
• McAfee Stinger
• Windows Security Scanner
• Windows Malicious Removal tool
We have two separate internet lines from our DSL provider. I took five workstations off the primary network to do reinstalls. I also took the backup server off the network to do reinstalls. My plan was to reinstall each machine and put them on the second route which is supposed to be clean, as there are no other machines or peripherals on that route. I purchased a brand new router, brand new switch, reverted the modem back to factory defaults, and set strong administrator passwords (as always). I then reinstalled the five desktops and backup server making sure not to put any of them on the second “clean” network until McAfee and Malwarebytes were installed. I did not put any USB or jump drives in any of the units.
I have not put any of the desktops on the second route yet (all desktops are running Windows 7 32-bit – they are OptiPlex 360). This route is a static route with one primary WAN address. While working on the server (Windows 2008 Enterprise R1 on an old PowerEdge SC420) – I did the reinstall, deleted all partitions, reformatted new partitions, changed local policy to disable autoruns and enable UAC. Prior to installing any server roles or Windows Updates, I installed McAfee 8.8 from installation from CD (the CD was burnt on my laptop which according to all scans is not infected…its also not showing any signs of infection). McAfee put itself into protection mode, and when McAfee needed to update definitions, I put it on the “clean” route, and as soon as it hit the internet, the screen flashed, and the DNS settings were changed. The definitions did not update, and upon restart, the Guest account was enabled, the Administrator could no longer install security programs. When trying to copy Malwarebytes Chamelon to the desktop of the server, it would not let me copy two files, svchost and winlogon from the Chamelon directory, despite trying everything.
The interesting thing that happened while the DNS settings were changed was... the IP address on the backup server was set as the LAN IP address of the primary server on the main route, even though it was selected to obtain the address automatically. I have all the networking equipment here in my office, and I can assure you that the two routes are not communicating with each other on the LAN side.
I still have not put any of the five workstations referenced back on the network because I am afraid they will get infected, if they are not already. I have not put any burnt CD (only MS Win7 install CD) or USB drive into these desktops. I have disabled AUtoruns and enabled UAC.
I do want to mention these few items:
• I made the mistake of using an admin password on the backup server reinstall that I used previously on the main network (strong, 17 character password).
• I burned the CD with McAfee from my laptop to use in the server reinstall.
• My laptop was on the wireless on the second route earlier in the day, however, it was not on the route when I connected the clean reinstalled server and it instantly got infected.
Last night I tried to run the MS Malicious offline scanner on my laptop (Sony VAIO). I was able to run both Microsoft Scanners in normal mode (Safety & Malicious), but I was not able to boot the computer to the offline scanner, despite many attempts. Both scans showed no infection. Malwarebytes scans show no infection. McAfee scans show no infection.