Hi Bleeping Computer
I have resorted to asking for help with regards to what I believe may be a rootkit possibly even (excuse this as I only mention in complete ignorance but matches what seem to be the array of problems I am receiving.) Hypervisor malware.
I fear that my motherboards firmware has been compromised.
To just confirm I have resorted to low level formats on all my drives and ROG's Secure Erase for my SSD's and still this malware laughs in my face. Also my router is continuingly getting compromised. I have reflashed firmware and rebought 3 routers. All of them get hacked within 20 seconds from what my limited networking knowledge shows me.
Now I have restored my homebuilt pc no less than 20 times now and each time I see more and more indicators of the malware possibly a small part paranoia and microsofts and other companies very misleading and suspiciously named services and programs.
What I believe has confirmed this for me is during the win 8 installation process.
When choosing custom install and at the bottom there is the load drivers option. Now when I click this keep in mind I have a £5 basic keyboard and no mouse (precautionary measure with my gaming hardware all containing memory) and every single hdd physically disconnected, it is showing a second X: drive on top of the installation CD. Now when I expand this drive it contains a lot of suspect folders even more so with the folders having names and data that could not possibly be there on the installation CD and a large WOWsys64. I have tried using DISK PART to format, delete, forcibly corrupt and /force on it all however I cannot access it as it is write protected.
Now I believe I am then being opened up and obliterated with windows power shell and my comp is being converted into a VM. I Have made every attempt to try and combat this and before I know it everything is reverted back.
I am also constantly getting virtualapp/didlogical added in the generic credentials even following deletion its back in minutes.
On top of that the computer is getting a plethora of tasks added to task scheduler
The certificate security system is completely useless and no matter how many sec enforcements I enable in mmc policies my comp will not rid the pc of invalid, revoked or altered certificates. I have tried adding my own security cert however I am locked out from doing this also.
MSE is unable to start I also use Symantec endpoint business protection and also Malwarebytes Premium and their realtime premium exploit protection. When trying to install malwarebytes it fails completely. Including all chameleon installers.
My Symantec history logs are a joke because as soon as it detects intrusions its immediately followed by created rules and generated access. I have constantly an army of duplicate and hidden network adapters that will immediately reappear on next logon following removal even through the sys reg route.
sfc /scannow cannot fix corruptions.
I believe all my accounts are compromised even following multiple pw changes. I also adopt the phone authenticator for these accounts but no use as the moment I attach a device to my network it gets hacked. I am guessing that there is malware that can possibly allow access to the authenticator.
This is but a tiny fraction of the problems I have encountered but the best part is I have a website recently started that was going to be my parent company site for my business which is allinonespot.com to help with networking and to see statistics I use a service called brandyourself.com which logs all instances of site visits. Whats funny in a hopelessly sad way is that I suddenly started receiving huge amounts of activity from Beijing and Russia even more peculiar is some of the results state that my profile was visited following a link or profile supposedly on baidu.com? Also many from Russia and also strangely unkown which is not how brandyourselfs results are displayed.
I have found questionable logs when forcing permission changes on hidden folders(permission is reverted back instantly on next log in) which contains very sensitive info and facebook info including something about this URL? I think needs to be protected as it gives same access as username and password. I have also had numerous facebook logins without that person needing or having to use facebooks authetnticator.
My maintenance account is always converted to a standard profile and none of them will convert to a roaming profile.
Furthermore my critical downloads I believe are being compromised when downloading as when using browser development tools allot of my downloads and site visits are either redirected or my downloads diverted to an alternate source
The ip address that I get is 10.61.106.36 which wont show up on any ip checker site I try.
I am in desperate need of help all 3 of my home comps are infected and all devices and I just don't know what to do with regards to protecting my router.
Any help with this and I will reward or "donate" 1 BTC to the site. I have also included a screenshot of some of the brandyourself results that coincided with my comp being compromised.