Okay, so I usually don't ask for help with computer problems, as figuring it out for myself leads to me learning more than letting someone else do it for me. But unfortunately, I'm completely at a loss and my continued lack of access to my files is causing issues. Not to mention, I'm not the only person I know who's infected with this and would like to help others as best I can. I humbly request your help with this problem.
So a bit of quick backstory. I'm a college student currently attending a community college close to my area. The semester is basically over and I've been spending loads of nights up late finishing papers. Some didn't quite get finished, so I put them on my flash drive in a desperate attempt to finish them in the library before class. I'm sure you can see where this is going. Blame my sleep deprivation for such a foolish move, as usually I'm much more security conscious. But in this instance, I plugged my flash drive in to one of the library laptops and wound up with a serious bit of malware. Its actually infected the entire school network and a few of my friends who don't attend that school, so I assume its relatively prevelant.
Story aside, here's what I currently know about it (based on observing it infect clean machines, using infected machines, and attempting to remove it):
-It seems to spread via autorun files. All usb devices that are subsequently plugged in are infected with an autorun.inf file, and a batch file. It downloads a file called "Au_.exe" to temp files along with a network .dll file (excuse my shoddy memory, I'm not in front of my computer or my notes right now)
-When its first beginning to infect, it will run multiple instances of svchost.exe (almost always followed by a -k) and other seemingly normal processes. It attaches threads to them that are abnormal though (lots of ntdll.dll) and will use up a lot of CPU. It will alter these and other programs, especially anti-virus and the like, so that it remains undetected. It also attaches itself to critical .sys and .dll files.
-During the infection it creates or alters "c:\system.sav" and "c:\recovery" directories. I actually zipped up their contents mid-way through this in hopes of assisting in determining what it is. It also begins connecting to massive amounts of other IP addresses and sometimes even what looks like random hex addresses. I assume its using the host network to launch a DDOS attack or something similar.
-Once infected, it becomes incredibly difficult to remove. As mentioned earlier, it tampers with anti-virus and similar types of software to ensure it is not detected. It will interfere with the updating of database files. And it will alter newly downloaded exe files. Almost every scan I've run has turned up nothing. The only way I think this could be beaten is by downloading the files needed on a fresh computer and burning them to an unalterable media. Or alternatively just running a live boot OS to try and get to the issue before anything from the drive is loaded.
-I also attempted to disable parts of it temporarily by disabling the network adapter. Foolish move on my part. My computer now no longer believes the adapter is there and I cannot connect to the internet. Its probably a simple driver issue, but I can't fix it until this is dealt with. And the rapid connections to seemingly random IPs continues, so the infection must've found a way back online.
I've googled most of the specific symptoms in an attempt to find out what malware this is. While certain symptoms seem to suggest one answer, others point in a completely different direction. Hell it could be multiple pieces of malware for all I know. Or a relatively new one that implements many different strategies of older ones and as of yet has evaded detection. Regardless, I really would like to regain access to my computer without a reformat if possible. Please and thank you!
EDIT: Wow, I forgot a really basic detail. I'm running Windows 7 Ultimate 64bit. I've attempted to use Malwarebytes Anti-Malware, Anti-Exploit, and Anti-Rootkit so far. I've also manually killed tasks via Process Explorer and tried to stop it from executing at boot with Autoruns, but no go. I also ran a scan with Windows Defender live boot CD, and also no dice.
Edited by autodonewiththis, 21 December 2014 - 06:27 AM.