My experiance from troubleshooting inside windows and linux at this level is limited and I hope to learn some more- hopefully with your help. I am as curious as I'm devastated over my problem that I will share with you here.
My enviroment lately has been dynamic and I've been testing and resinstalling windows 10 a lot. Due to problems really, registry problems i thought at first. been running Linux mint 18 cinnamon also last couple of weeks, disk has been totally wiped now. Win disk and Linux disk has been isolated because i wanted to avoid dualboot. I've been running tomato/merlin router on asus hardware. Ive been running Pfsense on a gigabyte board most recently Via bridged modem.
Affect OSWindows 10 /Linux? Both, for sure, no doubt about it.
Network? Last up pfsense router installed on a gigabyte board, integrated celeron circuit. Before that tomato, removed tomato it was behaving odd. Pfsense as well recently.
origin? old PC, Disk MBR or USB MBR. I suspect it's been around for a while but not as severe as it is right now. It seem to slowly getting worse uptill now when it has been escalating rendering the PCs more or less useless.
Hardware affected? Asrock Fatality X99 Extreme, samsung ssd's(did recent firmware updates via samsung tool on dirty win 10,) Gigabyte board with old BIOS. Gigabyte board with new AMI bios.
Anti-virus? EMI Soft security suite, Also tried ESET. Firewall in both Products dosnt seem to be Active and it uses windows firewall instead.
What does it do? Im not completly sure but I will try to explain what I've seen and what I suspect. It's MBR based for sure, and might also have spread to BIOS due to recent BIOS update via network.
Bios loads twice probably, Display port activation is really slow at startup. Interrupting boot sequence, restarting pc in boot seq. After recent changes or after adding new hardware. Bios looks odd probably just "emulated" hacked version of the real copy. Changes in bios does not apply. If i for example turn off virtualisation or acpi its not really turned off when booted into windows. Usbs that are moved between computers have their boot info magically removed and are shown are unkown devices till reformated with disk part. I've seen a glimpse of startup processess trying to execute PXE boot even though it's turned off. Com port 1 in windows is active and has some part in all this dont know but i never used a comport on my mobo before.. Usb devices does not always work on startup in windows, one has to manually reconnect them before logging in. Cpu fan speed is at 100%. Can no longer control this in bios. Problems booting some rescue disks, not all but some. I never find any traces of infection. Lasy copy of win10 was installed with Secure boot activated.
It probably runs virtual machines, servers, ssl server, vpn server and what not in both linux and windows as it seem. It slows down pc, it makes surfing really slow, weird settings and occurances going on all the time. I heavily suspect packet sniffing, usb sniffing and dns redirect. All processes mentioned are processes and services me my self has not manually added to the system, yet they are up and running. Applies to both win and Linux. When installing Linux and reviewing the installation the first thing I notice is a bunch of CGROUPS, Tempfs disks 20+ and viritualbox guests being installed. Last time I was also not able to change Linux software sources. Packages did also not look correct with my limited knowledge, packages had slightly different names and was redirected to archived sources for example.
win10 logs has been showing remote logins from windows assistant, weird SMI logs, ACPI logs, logs mentioning remote desktop, unkown disks at \\.\. Overall it feels like my Point of view into whats going on is limited, i dont get the full picture.
every new install of operating system i have made recently has been on a ssd disc that has been secure erased with parted magic genuine copy, if this disc has been Clean or not is impossible to tell, I would assume not. Discs were then removed right after without creating new mbr.
So any ideas of what this might be? any ideas of how to identify or gather more information?
edit: cleaned up text
Edited by hamluis, 12 July 2016 - 09:45 AM.
Moved from Internal Hardware to Am I Infected - Hamluis.