Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Symptoms - Remote Server Controls PC User "SYSTEM"


  • Please log in to reply
No replies to this topic

#1 Flamo

Flamo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:49 PM

Posted 28 November 2015 - 07:54 AM

This PC with Win7 Pro X64 is my test PC, so there's no data to keep. I'm looking for a solution to apply to other devices, too.

 

One thing the infection does is use the Roaming profile/Sync to infect any device I use (even on a different ISP in another state!) as soon as I log into my Time Warner Cable webmail. TWC says they can't help because I own my own cable modem due to a very tight budget. I pull the Ethernet cable from the modem unless I need it to prevent tons of connections to my PC. Last I checked there were 256 users approved to log in.

 

My roomate has a Toshiba laptop that got infected going online with my connection, as Kaspersky Internet Security forces you to do before it will run (pretty stupid, eh?).

 

I received a Kindle Fire, and it got infected using the out-of-state different company ISP when I signed in to TWC webmail.

 

There also appears to be a virtual machine hidden within my C: partition, but operating as a separate hard drive with XP Pro as the OS. My local repair  shop thought they'd fiixed it, but all the bad behavior started right back up when I got it home.

 

I've run DBAN, Clean All and Partition Magic trying to delete it with no success. Regardless of what OS I try to install after an erase (XP Home or Pro, Win 2000 Pro, Ubuntu 14.xxx) the Windows 7 install screen comes up as if there's a doctored copy somewhere on the PC already.

 

A tool or utility or anti-malware program can be used only once. It appears that the malware makes a copy of it, modifies its behavior, puts a hidden shortcut within the desktop shortcut, and allows only its copy to run. Therefore it always appears clean. Logs are sometimes "disappeared" when I do "Save As/Desktop".

 

As I type here, the malware appears to be messing with my keyboard - dropping letters, placing the typing cursor several letters away from where I click, highlighting the entire parargraph when I select a word, needing several clicks in clear space to remove the paragraph highlight.

 

When I was getting help at Windows Seven Forums, it blocked my ability to post by forcing a second sign-in when I was already signed in, which removed everything I'd typed. I was able to copy, sign out, close and reopen Firefox, sign back in, paste and then it would post.

 

I'm locked out of BIOS/CMOS and my cable modem by replaced passwords (I used the 13-character minimum, alpha-numeric with symbols kind), many admin functions even when using the hidden admin account by "You must get permission from Trusted Installer" or "Access denied". If I get into a folder and open a document successfully, they are blocked next time I try.

 

Cannot set up an alternative broadband connection - only the "Unidentified Network" installed by the malware will connect. I long ago physically removed the modem card and serial port and uninstalled so they didn't appear in the registry. Device Manager shows them available and working. I was able to see a bunch of dialup software and XML instructions at one point.

 

Cannot install my printer. Only MS Document Writer is allowed.

 

Whenever I think I'm getting somewhere with this monster, it finds a way to force a reboot and reload itself. Can't change a driver to the OEM one, can't update BIOS through DOS, can't keep Internet Explorer from running in the background.

 

Please say there's some hope for at least one of the devices! The Toshiba owner got the Recovery USB stick, but we're afraid to run it yet. Toshiba call-in help will be back up on Monday, they say.

 

Thanks for any time and consideration anyone is willing to give.     Flamo



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users