Good evening. And please help! I have been battling something of the likes I have never seen before. I do not claim to be an malware specialist but a am extremely tech savvy and have built and repaired hundreds of computers. I just can't seem to isolate what is going on with my computers and it is causing Havok in my world. I've been looking on this site and many others for a couple months now looking for comparable infections. And I finally found one, but it has not been solved. I figured I would start my own thread as it is quite possibly something completely different. I want to give a link to the other gentleman's post cause he nailed the description on what I am facing. I think my problem possibly stemmed from a USB autorun infection, but can't be sure. I had mcafee installed at the time. Here we go.
I have been battling a virus for quite some time, it has infected every PC I own (11) and I cannot for the life of me remove it. I am passed the polnt of recovering personal data, I would just like access to my computers and use them without being monitored. I believe that this is an above normal grade rootkit that cannot be removed by simple measures and I am at a loss of what to try next. I have spent hundreds of hours trying to get this removed and still it remains. I will save you from an ehaustive explanation of how I came to my conclusions and try to keep this brief as not to waste your time or send you down the wrong path. I think I am dealing with a persistant multi-payload rootkit that hypervises my PC's. One would think this would only affect one PC due to hardware limitations but this is not the case. Here is what I have attempted in order to remove the virus.
(anything imaginable in windows)
-Removed CMOS/RAM/Power allowed to sit a week (was traveling for work)
-Flashed BIOS (ROG flashback button, fresh USB, CAB file loaded by clean PC)
-Replaced RAM (new ram)
-Replaced HD (new HD)
-All other drives removed
-Installed windows from new DVD drive using OEM WIN 8 DVD (offline)
-Installed with Secure Boot/TPM/NX enabled
-GMER detects kernel modification
-Dumped ROM/BIN from BIOS
-Examined BIOS (RWPortable)
-Hirens BCD (every tool possible)
-Most AV's do not detect any signs (with the exception that the more I install they start detecting each other as Trojans/becoming infected/stop running)
What I have learned (or think I have)
-People who experience similar issues are quickly deemed crazy or lack knowledge to understand these may be normal functions of a computer, I do not claim to be an expert, I just really like computers. I could be crazy and infact would be very happy if I was.
-Executes mirco code at boot (AHCI/SMBUS/RAM memory locking) diagnosed via BIOS/Several dos tools (coreboot?)
-I believe it PXE/Sea boots although unsure
-All BIOS versions on all PC's show up as UNKNOWN through any BIOS tool
-If a hard drive is formatted/Zero'd it always fails, I believe this is because of the way they write to the drive, hidding boot sectors in unreadable/locked data
-Lots of Junctions/Symlinks between folders (to retain integrity)
-PE boots PC when re-installing windows (if drive not properly formatted)
-Tons of virtual adapters/hosts
-When running system information tools on all of my PC's they all identify a seperate PC and it is always a Pentium III (VM host?)
-Remote data base endpoints located in all volume information directories
-VMsphere/VHD files installed in hidden directory
-Tons of .SYS file extensions/Python scripts/Assembly/Jar files
-Extended BIOS tables, flashing only writes to the BIOS and misses these tables
-I can see all the devices, locked memory ranges etc but unsure how to edit/remove these correctly without damaging the firmware/Bios
-Any usb device I insert will originally be installed with it's factory name (LEXAR 16GB DISK), upon the next insertion the driver/device will be named "GENERIC MULTIPLE CARD READER" on all devices. Several of my devices no longer function and am guessing this is because I removed them while the firmware was being flashed.
-Certain tasks/applications in DOS cause a KERNEL PANIC and this is the last error I see as my screen locks up, hard reset is required.
-All devices are forced to an S3 power state with remote power management
-Everything in DOS is locked down, FDISK/CHKDISK/DISKPART have INI files that lock/restrict commands/options/stop from detecting drive partitions. Memory cannot be unlocked, files cannot be deleted, symbolic links cannot be deleted and certain items cannot be accessed. I have also attempted in MiniXP/Linux recovery/Ubuntu/every boot rescue disc imagineable. I cannot take permission/change any of these items.
-Much more that I am most likely forgetting.
In order to remove this I believe I would have to offline flash all my firmware somehow, this is out of my scope of knowledge, I am guessing I could make an ISO that boots in to DOS and runs each EXE file. Meanwhile I would have to edit the extended BIOS tables to stop the code from executing. Enabling NX/secure boot/changing SMbus/USB etc in the BIOS makes zero difference, it seems to be able to manipulate these or reflash the BIOS prior to going back in to windows, this still occurs with no physical drives attached and booting only from CD. I am not holding on to the idea that this is the case, this far exceeds my level of knowledge and I personally would love to be wrong. Sorry for any grammatical errors, I am exhausted and just desperately need some assistance, once fixed I will ensure to enable the hardware lock on my BIOS. I have never before been concerned about virus' as I can low level the drive and re-install. Lesson learned.
Thank you for your help in advance and please let me know what information/tools/logs you would like me to provide.